Actions and workflows according to convention

.github/workflows/build_base.yml → .github/workflows/5_builderpackage_wazuh_dashboard.yml

@@ -1,6 +1,14 @@
 # This is a basic workflow that is manually triggered
+#
+# This workflow automates the build of Wazuh Dashboard for different
+# architectures and distributions.
+#
+# This workflow:
+# - Clones, configures, builds and packages the Wazuh Dashboard.
+# - Is customizable in architecture and reference (`branch/tag/commit`).
+# - Uploads the final package with a structured name.
 
-name: Build base
+name: Build Wazuh dashboard
 
 on:
   workflow_call:

.github/workflows/build_wazuh_dashboard_with_plugins.yml → .github/workflows/5_builderpackage_wazuh_dashboard_with_plugins.yml

@@ -1,3 +1,21 @@
+# This workflow automates the build of the Wazuh Dashboard package along with
+# its plugins.
+#
+# This workflow:
+# - Downloads, builds, packages, tests, and uploads the Wazuh Dashboard along
+#   with its plugins.
+# - Is customizable through inputs to adapt to different environments
+#   (production, staging, various architectures).
+# - Ensures that each component is built with the exact reference provided and
+#   validated before the final packaging.
+#
+# - Allows customization of:
+#   - Operating system (`deb` or `rpm`)
+#   - Architecture (`amd64`, `x86_64`, `aarch64`, `arm64`)
+#   - Package revision
+#   - Plugin references (branches, tags, or commits)
+#   - Staging, upload, and checksum options.
+
 run-name: Build ${{ inputs.system }} wazuh-dashboard on ${{ inputs.architecture }} ${{ inputs.is_stage && '- is stage' || '' }} ${{ inputs.checksum && '- checksum' || '' }} ${{ inputs.id }}
 name: Build Wazuh dashboard with plugins
 
@@ -104,6 +122,11 @@ on:
 
 jobs:
   setup-variables:
+    # 1. Clone plugin repositories and get SHA for each one.
+    # 2. Configure key variables such as:
+    #   - Final package name based on system, architecture and stage.
+    #   - Architecture flags.
+    #   - Version, revision and commit SHA information.
     runs-on: ubuntu-latest
     name: Setup variables
     outputs:
@@ -206,6 +229,8 @@ jobs:
           echo "ARCHITECTURE_FLAG=$ARCHITECTURE_FLAG" >> $GITHUB_OUTPUT
 
   validate-job:
+    # 1. Validates valid combinations of system and architecture.
+    # 2. Sets up AWS CLI for future uploads if needed.
     runs-on: ubuntu-latest
     needs: setup-variables
     name: Validate job
@@ -231,32 +256,40 @@ jobs:
   build-base:
     needs: [validate-job]
     name: Build dashboard
-    uses: wazuh/wazuh-dashboard/.github/workflows/build_base.yml@main
+    uses: wazuh/wazuh-dashboard/.github/workflows/5_builderpackage_wazuh_dashboard.yml@main
     with:
       CHECKOUT_TO: ${{ github.head_ref || github.ref_name }}
       ARCHITECTURE: ${{ inputs.architecture }}
 
   build-main-plugins:
     needs: [validate-job]
     name: Build plugins
-    uses: wazuh/wazuh-dashboard-plugins/.github/workflows/manual-build.yml@main
+    uses: wazuh/wazuh-dashboard-plugins/.github/workflows/5_builderpackage_manual-build.yml@main
     with:
       reference: ${{ inputs.reference_wazuh_plugins }}
 
   build-security-plugin:
     needs: [validate-job]
     name: Build security plugin
-    uses: wazuh/wazuh-security-dashboards-plugin/.github/workflows/manual-build.yml@main
+    uses: wazuh/wazuh-security-dashboards-plugin/.github/workflows/5_builderpackage_manual-build.yml@main
     with:
       reference: ${{ inputs.reference_security_plugins }}
 
   build-report-plugin:
     needs: [validate-job]
     name: Build reporting plugin
-    uses: wazuh/wazuh-dashboards-reporting/.github/workflows/manual-build.yml@main
+    uses: wazuh/wazuh-dashboards-reporting/.github/workflows/5_builderpackage_manual-build.yml@main
     with:
       reference: ${{ inputs.reference_report_plugins }}
+
   build-and-test-package:
+    # 1. Downloads previously built artifacts.
+    # 2. Packages the plugins and dashboard into `.zip` files.
+    # 3. Executes the build script to generate the final package (`.deb` or `.rpm`).
+    # 4. Performs tests on the generated package.
+    # 5. Renames the package with the appropriate final name.
+    # 6. If requested, generates the `.sha512` checksum file.
+    # 7. Finally, uploads the resulting package as an artifact.
     needs:
       [setup-variables, build-main-plugins, build-base, build-security-plugin, build-report-plugin]
     runs-on: ${{ (inputs.architecture == 'arm64' || inputs.architecture == 'aarch64') && 'wz-linux-arm64' || 'ubuntu-22.04' }}

.github/workflows/5_codequality_codeql.yml

@@ -0,0 +1,87 @@
+# CodeQL Workflow Configuration
+#
+# This workflow file will work for most projects without modifications; simply
+# commit it to your repository.
+#
+# ## Optional Customization
+# You may modify this file to:
+# - Adjust the set of analyzed languages.
+# - Add custom queries.
+# - Include custom build logic.
+#
+# ## ⚠️ Important Note
+# An attempt has been made to automatically detect the languages in your
+# repository. Please review the `language` matrix defined below to ensure it
+# includes the correct set of supported CodeQL languages.
+#
+# This workflow is used to perform code analysis with CodeQL:
+#
+# - 📅 Weekly analysis of code for vulnerabilities.
+# - 🔐 Applies static security analysis using CodeQL for JavaScript and
+#   TypeScript.
+
+name: Code analysis
+
+on:
+  push:
+    branches: [ "main", "[0-9].[0-9]", "[0-9].x" ]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [ "main" ]
+  schedule:
+    - cron: '0 8 * * 5'
+  workflow_dispatch:
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }}
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: ['javascript']
+        # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ]
+        # Use only 'java' to analyze code written in Java, Kotlin or both
+        # Use only 'javascript' to analyze code written in JavaScript, TypeScript or both
+        # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      # Initializes the CodeQL tools for scanning.
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v2
+        with:
+          languages: ${{ matrix.language }}
+          # If you wish to specify custom queries, you can do so here or in a config file.
+          # By default, queries listed here will override any specified in a config file.
+          # Prefix the list here with "+" to use these queries and those in the config file.
+
+          # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
+          # queries: security-extended,security-and-quality
+
+      # Autobuild attempts to build any compiled languages  (C/C++, C#, Go, or Java).
+      # If this step fails, then you should remove it and run the build manually (see below)
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v2
+
+      # ℹ️ Command-line programs to run using the OS shell.
+      # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
+
+      #   If the Autobuild fails above, remove it and uncomment the following three lines.
+      #   modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance.
+
+      # - run: |
+      #   echo "Run, Build Application using script"
+      #   ./location_of_script_within_repo/buildscript.sh
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v2
+        with:
+          category: "/language:${{matrix.language}}"