From b8122a839410fb4e8b622238be651c7ca08bbba6 Mon Sep 17 00:00:00 2001 From: Steven Serrata Date: Thu, 26 Mar 2026 11:06:27 -0400 Subject: [PATCH] fix(ci): improve CodeQL analysis workflow - Update checkout to actions/checkout v4 - Update codeql-action/init and analyze to latest v3 commit (ebcb5b36) - Add weekly scheduled scan (Monday 6am UTC) - Enable security-extended query suite for broader coverage - Remove dead branch triggers (v3.0.0, v2.0.0) - Remove redundant fail-fast on single-language matrix Co-Authored-By: Claude Sonnet 4.6 --- .github/workflows/codeql-analysis.yml | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index c63e64727..c72c9f4c0 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -2,11 +2,13 @@ name: "CodeQL" on: push: - branches: [main, v3.0.0, v2.0.0] + branches: [main] + schedule: + - cron: "0 6 * * 1" # weekly Monday 6am UTC jobs: analyze: - if: github.repository_owner == 'PaloAltoNetworks' + if: github.repository_owner == 'PaloAltoNetworks' name: Analyze runs-on: ubuntu-latest permissions: @@ -14,18 +16,18 @@ jobs: security-events: write strategy: - fail-fast: true matrix: language: ["javascript"] steps: - name: Checkout repository - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - name: Initialize CodeQL - uses: github/codeql-action/init@28deaeda66b76a05916b6923827895f2b14ab387 # v3 + uses: github/codeql-action/init@ebcb5b36ded6beda4ceefea6a8bc4cc885255bb3 # v3 with: languages: ${{ matrix.language }} + queries: security-extended - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@1b549b9259bda1cb5ddde3b41741a82a2d15a841 # v3 + uses: github/codeql-action/analyze@ebcb5b36ded6beda4ceefea6a8bc4cc885255bb3 # v3