From 98e0ddd397e9dcd7ae21b6a13c87bf297393522f Mon Sep 17 00:00:00 2001 From: Manoel Aranda Neto Date: Wed, 28 Jan 2026 16:11:49 +0100 Subject: [PATCH 1/8] Add CodeQL Advanced workflow for security analysis --- .github/workflows/codeql.yml | 45 ++++++++++++++++++++++++++++++++++++ 1 file changed, 45 insertions(+) create mode 100644 .github/workflows/codeql.yml diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 00000000..90ce78d4 --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,45 @@ +name: "CodeQL Advanced" + +on: + push: + branches: + - main + pull_request: + branches: + - main + +jobs: + analyze: + name: Analyze (${{ matrix.language }}) + runs-on: ${{ matrix.runner }} + permissions: + security-events: write + packages: read + strategy: + fail-fast: false + matrix: + include: + - language: java-kotlin + build-mode: autobuild + runner: ubuntu-latest + - language: swift + build-mode: none + runner: macos-latest + - language: actions + build-mode: none + runner: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@v6 + + - name: Initialize CodeQL + uses: github/codeql-action/init@v4 + with: + languages: ${{ matrix.language }} + build-mode: ${{ matrix.build-mode }} + queries: security-and-quality + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v4 + with: + category: '/language:${{matrix.language}}' From e4b039e320882b7905a198c7e20d2bf8234a12e0 Mon Sep 17 00:00:00 2001 From: Manoel Aranda Neto Date: Wed, 28 Jan 2026 16:14:18 +0100 Subject: [PATCH 2/8] Fix Swift CodeQL: use autobuild mode with Flutter/Xcode setup --- .github/workflows/codeql.yml | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 90ce78d4..4304e7af 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -23,7 +23,7 @@ jobs: build-mode: autobuild runner: ubuntu-latest - language: swift - build-mode: none + build-mode: autobuild runner: macos-latest - language: actions build-mode: none @@ -32,6 +32,25 @@ jobs: - name: Checkout repository uses: actions/checkout@v6 + - name: Setup Flutter (Swift) + if: matrix.language == 'swift' + uses: subosito/flutter-action@fd55f4c5af5b953cc57a2be44cb082c8f6635e8e # v2.21.0 + with: + channel: 'stable' + + - name: Setup Xcode (Swift) + if: matrix.language == 'swift' + uses: maxim-lobanov/setup-xcode@60606e260d2fc5762a71e64e74b2174e8ea3c8bd # v1.6.0 + with: + xcode-version: '16.4' + + - name: Install dependencies (Swift) + if: matrix.language == 'swift' + run: | + flutter pub get + cd example + flutter pub get + - name: Initialize CodeQL uses: github/codeql-action/init@v4 with: From 06b52badf6aa007076b2af247bffc2e7b255d0d5 Mon Sep 17 00:00:00 2001 From: Manoel Aranda Neto Date: Wed, 28 Jan 2026 16:16:13 +0100 Subject: [PATCH 3/8] Allow github/ actions in security allowlist, update example config --- .github/workflows/ci-security.yaml | 1 + example/lib/main.dart | 8 ++++---- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci-security.yaml b/.github/workflows/ci-security.yaml index be2e6877..00d6ddae 100644 --- a/.github/workflows/ci-security.yaml +++ b/.github/workflows/ci-security.yaml @@ -27,3 +27,4 @@ jobs: allowlist: | actions/ PostHog/ + github/ diff --git a/example/lib/main.dart b/example/lib/main.dart index a11afa3c..c8f62264 100644 --- a/example/lib/main.dart +++ b/example/lib/main.dart @@ -15,7 +15,7 @@ Future main() async { config.captureApplicationLifecycleEvents = false; config.host = 'https://us.i.posthog.com'; config.surveys = false; - config.sessionReplay = false; + config.sessionReplay = true; config.sessionReplayConfig.maskAllTexts = false; config.sessionReplayConfig.maskAllImages = false; config.sessionReplayConfig.throttleDelay = const Duration(milliseconds: 1000); @@ -23,11 +23,11 @@ Future main() async { // Configure error tracking and exception capture config.errorTrackingConfig.captureFlutterErrors = - true; // Capture Flutter framework errors + false; // Capture Flutter framework errors config.errorTrackingConfig.capturePlatformDispatcherErrors = - true; // Capture Dart runtime errors + false; // Capture Dart runtime errors config.errorTrackingConfig.captureIsolateErrors = - true; // Capture isolate errors + false; // Capture isolate errors if (kIsWeb) { runZonedGuarded( From 3627c74379af72b19b1133edcc857756d2412f49 Mon Sep 17 00:00:00 2001 From: Manoel Aranda Neto Date: Wed, 28 Jan 2026 16:16:42 +0100 Subject: [PATCH 4/8] Revert example/lib/main.dart changes --- example/lib/main.dart | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/example/lib/main.dart b/example/lib/main.dart index c8f62264..a11afa3c 100644 --- a/example/lib/main.dart +++ b/example/lib/main.dart @@ -15,7 +15,7 @@ Future main() async { config.captureApplicationLifecycleEvents = false; config.host = 'https://us.i.posthog.com'; config.surveys = false; - config.sessionReplay = true; + config.sessionReplay = false; config.sessionReplayConfig.maskAllTexts = false; config.sessionReplayConfig.maskAllImages = false; config.sessionReplayConfig.throttleDelay = const Duration(milliseconds: 1000); @@ -23,11 +23,11 @@ Future main() async { // Configure error tracking and exception capture config.errorTrackingConfig.captureFlutterErrors = - false; // Capture Flutter framework errors + true; // Capture Flutter framework errors config.errorTrackingConfig.capturePlatformDispatcherErrors = - false; // Capture Dart runtime errors + true; // Capture Dart runtime errors config.errorTrackingConfig.captureIsolateErrors = - false; // Capture isolate errors + true; // Capture isolate errors if (kIsWeb) { runZonedGuarded( From 22e994e3531acb6e383bb64f0348e22751882b6d Mon Sep 17 00:00:00 2001 From: Manoel Aranda Neto Date: Wed, 28 Jan 2026 16:23:06 +0100 Subject: [PATCH 5/8] Fix Java/Kotlin CodeQL: use manual build mode with Flutter APK build --- .github/workflows/codeql.yml | 27 ++++++++++++++++++++++++++- 1 file changed, 26 insertions(+), 1 deletion(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 4304e7af..f0903c6f 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -20,7 +20,7 @@ jobs: matrix: include: - language: java-kotlin - build-mode: autobuild + build-mode: manual runner: ubuntu-latest - language: swift build-mode: autobuild @@ -51,6 +51,26 @@ jobs: cd example flutter pub get + - name: Setup Java (Java/Kotlin) + if: matrix.language == 'java-kotlin' + uses: actions/setup-java@v5 + with: + java-version: 17 + distribution: 'temurin' + + - name: Setup Flutter (Java/Kotlin) + if: matrix.language == 'java-kotlin' + uses: subosito/flutter-action@fd55f4c5af5b953cc57a2be44cb082c8f6635e8e # v2.21.0 + with: + channel: 'stable' + + - name: Install dependencies (Java/Kotlin) + if: matrix.language == 'java-kotlin' + run: | + flutter pub get + cd example + flutter pub get + - name: Initialize CodeQL uses: github/codeql-action/init@v4 with: @@ -58,6 +78,11 @@ jobs: build-mode: ${{ matrix.build-mode }} queries: security-and-quality + - name: Build Android (Java/Kotlin) + if: matrix.language == 'java-kotlin' + working-directory: ./example + run: flutter build apk + - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v4 with: From 896d699f4cafbb4d513e05cb39ee010374d4ead9 Mon Sep 17 00:00:00 2001 From: Manoel Aranda Neto Date: Wed, 28 Jan 2026 16:32:16 +0100 Subject: [PATCH 6/8] Fix Swift CodeQL: use manual build mode with flutter build ios --- .github/workflows/codeql.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index f0903c6f..449bc3ed 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -23,7 +23,7 @@ jobs: build-mode: manual runner: ubuntu-latest - language: swift - build-mode: autobuild + build-mode: manual runner: macos-latest - language: actions build-mode: none @@ -83,6 +83,11 @@ jobs: working-directory: ./example run: flutter build apk + - name: Build iOS (Swift) + if: matrix.language == 'swift' + working-directory: ./example + run: flutter build ios --simulator --no-codesign + - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v4 with: From ee3322d8ccb2ff6588bf4bbdbcda3e0430a2ac47 Mon Sep 17 00:00:00 2001 From: Manoel Aranda Neto Date: Wed, 28 Jan 2026 16:42:34 +0100 Subject: [PATCH 7/8] Fix Swift CodeQL: use xcodebuild for proper Swift tracing --- .github/workflows/codeql.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 449bc3ed..0be03282 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -86,7 +86,11 @@ jobs: - name: Build iOS (Swift) if: matrix.language == 'swift' working-directory: ./example - run: flutter build ios --simulator --no-codesign + run: | + flutter build ios --simulator --no-codesign --config-only + cd ios + pod install + xcodebuild -workspace Runner.xcworkspace -scheme Runner -sdk iphonesimulator -destination 'platform=iOS Simulator,name=iPhone 16' build - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v4 From 5f3d3bee4d095e0a312f7f12cd9da42e9c1180cb Mon Sep 17 00:00:00 2001 From: Manoel Aranda Neto Date: Wed, 28 Jan 2026 16:44:17 +0100 Subject: [PATCH 8/8] Use generic iOS Simulator destination for xcodebuild --- .github/workflows/codeql.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 0be03282..6ff130a3 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -90,7 +90,7 @@ jobs: flutter build ios --simulator --no-codesign --config-only cd ios pod install - xcodebuild -workspace Runner.xcworkspace -scheme Runner -sdk iphonesimulator -destination 'platform=iOS Simulator,name=iPhone 16' build + xcodebuild -workspace Runner.xcworkspace -scheme Runner -sdk iphonesimulator -destination 'generic/platform=iOS Simulator' build - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v4