|
| 1 | +--- |
| 2 | +# For most projects, this workflow file will not need changing; you simply need |
| 3 | +# to commit it to your repository. |
| 4 | +# |
| 5 | +# You may wish to alter this file to override the set of languages analyzed, |
| 6 | +# or to provide custom queries or build logic. |
| 7 | +name: CodeQL |
| 8 | + |
| 9 | +# The use of on here as a key is part of the GitHub actions syntax. |
| 10 | +# yamllint disable-line rule:truthy |
| 11 | +on: |
| 12 | + merge_group: |
| 13 | + types: |
| 14 | + - checks_requested |
| 15 | + pull_request: |
| 16 | + # The branches here must be a subset of the ones in the push key |
| 17 | + branches: |
| 18 | + - develop |
| 19 | + push: |
| 20 | + # Dependabot-triggered push events have read-only access, but uploading code |
| 21 | + # scanning requires write access. |
| 22 | + branches-ignore: |
| 23 | + - dependabot/** |
| 24 | + schedule: |
| 25 | + - cron: 0 2 * * 6 |
| 26 | + |
| 27 | +jobs: |
| 28 | + diagnostics: |
| 29 | + name: Run diagnostics |
| 30 | + # This job does not need any permissions |
| 31 | + permissions: {} |
| 32 | + runs-on: ubuntu-latest |
| 33 | + steps: |
| 34 | + # Note that a duplicate of this step must be added at the top of |
| 35 | + # each job. |
| 36 | + - name: Apply standard cisagov job preamble |
| 37 | + uses: cisagov/action-job-preamble@v1 |
| 38 | + with: |
| 39 | + check_github_status: "true" |
| 40 | + # This functionality is poorly implemented and has been |
| 41 | + # causing a lot of problems due to the MITM implementation |
| 42 | + # hogging or leaking memory, so we disable it for now. |
| 43 | + monitor_permissions: "false" |
| 44 | + output_workflow_context: "true" |
| 45 | + # Use a variable to specify the permissions monitoring |
| 46 | + # configuration. By default this will yield the |
| 47 | + # configuration stored in the cisagov organization-level |
| 48 | + # variable, but if you want to use a different configuration |
| 49 | + # then simply: |
| 50 | + # 1. Create a repository-level variable with the name |
| 51 | + # ACTIONS_PERMISSIONS_CONFIG. |
| 52 | + # 2. Set this new variable's value to the configuration you |
| 53 | + # want to use for this repository. |
| 54 | + # |
| 55 | + # Note in particular that changing the permissions |
| 56 | + # monitoring configuration *does not* require you to modify |
| 57 | + # this workflow. |
| 58 | + permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} |
| 59 | + analyze: |
| 60 | + name: Analyze |
| 61 | + needs: |
| 62 | + - diagnostics |
| 63 | + runs-on: ubuntu-latest |
| 64 | + permissions: |
| 65 | + # actions/checkout needs this to fetch code |
| 66 | + contents: read |
| 67 | + # required for all workflows |
| 68 | + security-events: write |
| 69 | + strategy: |
| 70 | + fail-fast: false |
| 71 | + matrix: |
| 72 | + # Override automatic language detection by changing the below |
| 73 | + # list |
| 74 | + # |
| 75 | + # Supported options are actions, c-cpp, csharp, go, |
| 76 | + # java-kotlin, javascript-typescript, python, ruby, and swift. |
| 77 | + language: |
| 78 | + - actions |
| 79 | + # Learn more... |
| 80 | + # https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#overriding-automatic-language-detection |
| 81 | + |
| 82 | + steps: |
| 83 | + - name: Apply standard cisagov job preamble |
| 84 | + uses: cisagov/action-job-preamble@v1 |
| 85 | + with: |
| 86 | + # This functionality is poorly implemented and has been |
| 87 | + # causing a lot of problems due to the MITM implementation |
| 88 | + # hogging or leaking memory, so we disable it for now. |
| 89 | + monitor_permissions: "false" |
| 90 | + # Use a variable to specify the permissions monitoring |
| 91 | + # configuration. By default this will yield the |
| 92 | + # configuration stored in the cisagov organization-level |
| 93 | + # variable, but if you want to use a different configuration |
| 94 | + # then simply: |
| 95 | + # 1. Create a repository-level variable with the name |
| 96 | + # ACTIONS_PERMISSIONS_CONFIG. |
| 97 | + # 2. Set this new variable's value to the configuration you |
| 98 | + # want to use for this repository. |
| 99 | + # |
| 100 | + # Note in particular that changing the permissions |
| 101 | + # monitoring configuration *does not* require you to modify |
| 102 | + # this workflow. |
| 103 | + permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} |
| 104 | + |
| 105 | + - name: Checkout repository |
| 106 | + uses: actions/checkout@v4 |
| 107 | + |
| 108 | + # Initializes the CodeQL tools for scanning. |
| 109 | + - name: Initialize CodeQL |
| 110 | + uses: github/codeql-action/init@v3 |
| 111 | + with: |
| 112 | + languages: ${{ matrix.language }} |
| 113 | + |
| 114 | + # Autobuild attempts to build any compiled languages (C/C++, C#, or |
| 115 | + # Java). If this step fails, then you should remove it and run the build |
| 116 | + # manually (see below). |
| 117 | + - name: Autobuild |
| 118 | + uses: github/codeql-action/autobuild@v3 |
| 119 | + |
| 120 | + # ℹ️ Command-line programs to run using the OS shell. |
| 121 | + # 📚 https://git.io/JvXDl |
| 122 | + |
| 123 | + # ✏️ If the Autobuild fails above, remove it and uncomment the following |
| 124 | + # three lines and modify them (or add more) to build your code if your |
| 125 | + # project uses a compiled language |
| 126 | + |
| 127 | + # - run: | |
| 128 | + # make bootstrap |
| 129 | + # make release |
| 130 | + |
| 131 | + - name: Perform CodeQL Analysis |
| 132 | + uses: github/codeql-action/analyze@v3 |
0 commit comments