CodeQL #127
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CodeQL | |
| # Static analysis (semantic code scanning) for the Python codebase. Results are | |
| # uploaded to the repository's Security > Code scanning alerts. Runs on PRs/pushes | |
| # to the main branches and on a weekly schedule to catch newly published queries. | |
| on: | |
| push: | |
| branches: [main, master, develop] | |
| pull_request: | |
| branches: [main, master, develop] | |
| schedule: | |
| - cron: "0 4 * * 1" | |
| workflow_dispatch: | |
| concurrency: | |
| group: codeql-${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| # Least privilege at the top level; the analyze job escalates to the single write | |
| # scope it needs (uploading code-scanning results). | |
| permissions: | |
| contents: read | |
| jobs: | |
| analyze: | |
| name: Analyze (python) | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 30 | |
| # Least privilege: read the code, write code-scanning results, nothing else. | |
| permissions: | |
| contents: read | |
| security-events: write | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| language: [python] | |
| steps: | |
| - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4 | |
| with: | |
| languages: ${{ matrix.language }} | |
| queries: security-and-quality | |
| - name: Perform CodeQL analysis | |
| uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4 | |
| with: | |
| category: "/language:${{ matrix.language }}" |