name: CodeQL on: push: branches: [main] pull_request: branches: ["**"] schedule: # CodeQL query packs are updated by GitHub over time; a scheduled scan # surfaces new findings even when no code has changed. - cron: "0 6 * * 1" permissions: contents: read concurrency: group: codeql-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: true jobs: analyze: name: Analyze (${{ matrix.language }}) runs-on: ubuntu-latest permissions: security-events: write actions: read contents: read strategy: fail-fast: false matrix: include: - language: go build-mode: autobuild - language: javascript-typescript build-mode: none - language: actions build-mode: none steps: - name: Check out code uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Set up Go if: matrix.language == 'go' uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.6.0 with: go-version: "1.26.3" - name: Initialize CodeQL uses: github/codeql-action/init@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4.35.4 with: languages: ${{ matrix.language }} build-mode: ${{ matrix.build-mode }} queries: security-extended - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4.35.4 with: category: "/language:${{ matrix.language }}"