jamf · macnotes · Jan 8, 2026 · Jan 7, 2026 · Jan 8, 2026 · Jan 8, 2026
@@ -1,36 +1,3 @@
 # Script Expectations
 
-## Authors
-
-### ✔ Code Quality
-- Code is readable and follows established style
-- Naming is meaningful and consistent
-- Has enough comments to be easily understood
-- No dead or commented-out code
-- Anticipates where mistakes might be made and protects against it
-
-### ✔ Security
-- Inputs are validated and sanitized
-- Secrets are handled securely
-- Dependencies reviewed
-
-### ✔ Testing
-- Code has been tested and anticipates realistic real-world conditions
-
-### ✔ Documentation
-- The README (or header comments) explaining the script are up to date
-- The following are clearly stated:
- - Purpose
- - Requirements (Compatible OS and Jamf product versions, etc.)
- - Installation
- - Instructions for use 
-
-## Reviewers
-
-By approving a Pull Request, you acknowledge that the work:
-
-- Will be owned and actively maintained by your department
-- Will be removed if if becomes obsolete
-- Does no exceed the acceptable scope of the OSS policy
-- The Jamf Copyright and Source Available license text is included
-- Does not use or expose any non-public IP
+Please review the release checklist in Confluence prior to submitting a pull request. 
@@ -0,0 +1,88 @@
+name: "CodeQL Scan (PR-Incremental)"
+
+on:
+  pull_request:
+    paths-ignore:
+      - '**.md'   # ignore docs
+
+jobs:
+  detect-changes:
+    name: Detect PR Languages & Paths
+    runs-on: ubuntu-latest
+    outputs:
+      langs: ${{ steps.detect.outputs.langs }}
+      paths: ${{ steps.detect.outputs.paths }}
+    steps:
+      - name: Checkout PR
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0  # fetch full history
+
+      - name: Detect changed languages and folders
+        id: detect
+        run: |
+          SUPPORTED_LANGS="python javascript cpp csharp java go ruby php"
+          declare -A EXTENSIONS
+          EXTENSIONS=( 
+            [python]="py" 
+            [javascript]="js ts"
+            [csharp]="cs"
+            [go]="go"
+            [ruby]="rb"
+            [php]="php"
+          )
+
+          DETECTED_LANGS=""
+          DETECTED_PATHS=""
+
+          # List changed files in the PR
+          CHANGED_FILES=$(git diff --name-only ${{ github.event.before }} ${{ github.sha }})
+
+          for lang in $SUPPORTED_LANGS; do
+            for ext in ${EXTENSIONS[$lang]}; do
+              if echo "$CHANGED_FILES" | grep -E "\.${ext}$" >/dev/null; then
+                DETECTED_LANGS="$DETECTED_LANGS $lang"
+                break
+              fi
+            done
+          done
+
+          # Collect directories containing changed files (for path filters)
+          while read -r file; do
+            dir=$(dirname "$file")
+            DETECTED_PATHS="$DETECTED_PATHS $dir"
+          done <<< "$CHANGED_FILES"
+
+          DETECTED_LANGS=$(echo $DETECTED_LANGS | xargs)   # trim
+          DETECTED_PATHS=$(echo $DETECTED_PATHS | xargs | tr ' ' ',')  # comma-separated
+
+          echo "Languages detected: $DETECTED_LANGS"
+          echo "Paths to analyze: $DETECTED_PATHS"
+
+          echo "langs=$DETECTED_LANGS" >> $GITHUB_OUTPUT
+          echo "paths=$DETECTED_PATHS" >> $GITHUB_OUTPUT
+
+  codeql:
+    name: CodeQL Analysis
+    runs-on: ubuntu-latest
+    needs: detect-changes
+    if: needs.detect-changes.outputs.langs != ''
+    steps:
+      - name: Checkout PR
+        uses: actions/checkout@v4
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v4
+        with:
+          languages: ${{ needs.detect-changes.outputs.langs }}
+          token: ${{ secrets.GITHUB_TOKEN }}
+          debug: true
+          paths: ${{ needs.detect-changes.outputs.paths }}
+
+      - name: Build (if necessary)
+        run: |
+          # Add build commands here for compiled languages
+          echo "Build step (optional)"
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v4
@@ -0,0 +1,53 @@
+name: License Header Check
+
+on:
+  pull_request:
+  push:
+    branches: [ "main", "master" ]
+
+jobs:
+  check-license:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Check for License Headers
+        run: |
+          failed=0
+          # Find files: .sh, .go, .swift, .py
+          # Exclude hidden directories/files (like inside .git)
+          files=$(find . -type f \( -name "*.sh" -o -name "*.go" -o -name "*.swift" -o -name "*.py" \) -not -path '*/.*')
+
+          for file in $files; do
+            missing_reqs=0
+
+            # Requirement 1: A line with both "Copyright" and "Jamf"
+            # We grep for Copyright, then pipe to grep for Jamf to ensure they are on the same line.
+            if ! grep "Copyright" "$file" | grep -q "Jamf"; then
+              echo "::error file=$file::Missing 'Copyright' and 'Jamf' on the same line."
+              missing_reqs=1
+            fi
+
+            # Requirement 2: Specific license string
+            if ! grep -Fq "This work is licensed under the terms of the Jamf Source Available License" "$file"; then
+              echo "::error file=$file::Missing 'This work is licensed under the terms of the Jamf Source Available License'"
+              missing_reqs=1
+            fi
+
+            # Requirement 3: License URL
+            if ! grep -Fq "https://github.com/jamf/scripts/blob/main/LICENCE.md" "$file"; then
+              echo "::error file=$file::Missing 'https://github.com/jamf/scripts/blob/main/LICENCE.md'"
+              missing_reqs=1
+            fi
+
+            if [ $missing_reqs -eq 1 ]; then
+              failed=1
+            fi
+          done
+
+          if [ $failed -eq 1 ]; then
+            echo "One or more files are missing required license headers."
+            exit 1
+          else
+            echo "All scanned files contain the required license headers."
+          fi
@@ -1,5 +1,5 @@
-*      @BIG-RAT @seposium 
+* @BIG-RAT @seposium 
 
-/IT/				@emily-at-jamf
-/Services/			@Penning87
-/Support_Success/ 	@klngbl @nickander
+/it/				@emily-at-jamf
+/services/			@Penning87
+/support/ 	@klngbl @nickander
@@ -0,0 +1 @@
+This directory contains scripts created by Jamf's IT team
@@ -0,0 +1 @@
+This directory contains scripts created by Jamf's Sales Engineering and Consulting Engineers department
@@ -0,0 +1 @@
+This directory contains scripts created by Jamf's Professional Services department
@@ -0,0 +1 @@
+This directory contains scripts created by Jamf's Support department
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		This directory contains scripts created by Jamf's IT team