65 lines
1.7 KiB
YAML
65 lines
1.7 KiB
YAML
name: CodeQL
|
|
|
|
on:
|
|
push:
|
|
branches: [main]
|
|
pull_request:
|
|
branches: [main]
|
|
schedule:
|
|
# Weekly on Wednesday at 14:23 UTC (arbitrary off-peak time)
|
|
- cron: "23 14 * * 3"
|
|
workflow_dispatch: {}
|
|
|
|
# Default to no permissions; grant minimally at the job level.
|
|
permissions:
|
|
actions: none
|
|
attestations: none
|
|
checks: none
|
|
contents: none
|
|
deployments: none
|
|
discussions: none
|
|
id-token: none
|
|
issues: none
|
|
models: none
|
|
packages: none
|
|
pages: none
|
|
pull-requests: none
|
|
repository-projects: none
|
|
security-events: none
|
|
statuses: none
|
|
|
|
jobs:
|
|
analyze:
|
|
name: Analyze (${{ matrix.language }})
|
|
runs-on: ubuntu-latest
|
|
timeout-minutes: 30
|
|
permissions:
|
|
security-events: write # upload SARIF to code scanning
|
|
packages: read # fetch internal CodeQL packs (no-op for public repos)
|
|
actions: read
|
|
contents: read
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
include:
|
|
# Scans workflow YAML for GitHub Actions security pitfalls
|
|
# (script injection, untrusted checkout patterns, over-broad tokens).
|
|
- language: actions
|
|
build-mode: none
|
|
# Scans Python helpers (e.g. tools/validate.py).
|
|
- language: python
|
|
build-mode: none
|
|
steps:
|
|
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
|
|
|
- name: Initialize CodeQL
|
|
uses: github/codeql-action/init@5e7a52feb2a3dfb87f88be2af33b9e2275f48de6 # v4.32.2
|
|
with:
|
|
languages: ${{ matrix.language }}
|
|
build-mode: ${{ matrix.build-mode }}
|
|
|
|
- name: Perform CodeQL Analysis
|
|
uses: github/codeql-action/analyze@5e7a52feb2a3dfb87f88be2af33b9e2275f48de6 # v4.32.2
|
|
with:
|
|
category: "/language:${{ matrix.language }}"
|