name: CodeQL on: push: branches: [main] pull_request: branches: [main] workflow_dispatch: permissions: contents: read # Cancel a superseded run for the same ref (e.g. a force-push to a PR) so we # don't burn CI minutes analyzing commits that are already stale. concurrency: group: codeql-${{ github.ref }} cancel-in-progress: true jobs: analyze: name: Analyze (${{ matrix.language }}) runs-on: ubuntu-latest timeout-minutes: 360 permissions: # Required to upload code-scanning results to the Security tab. security-events: write # Required by codeql-action to read the workflow/CI config. actions: read contents: read strategy: fail-fast: false matrix: include: # Haystack is a Python project; Python is interpreted, so no build is # needed. Add `javascript-typescript` here if the docs-website JS code # should also be scanned. - language: python build-mode: none steps: - name: Checkout uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: false - name: Initialize CodeQL uses: github/codeql-action/init@99df26d4f13ea111d4ec1a7dddef6063f76b97e9 # v4.37.0 with: languages: ${{ matrix.language }} build-mode: ${{ matrix.build-mode }} - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@99df26d4f13ea111d4ec1a7dddef6063f76b97e9 # v4.37.0 with: category: "/language:${{ matrix.language }}"