From 1542fb850be6c91dc63662dca9543569997abd54 Mon Sep 17 00:00:00 2001 From: Callan Barrett Date: Thu, 9 Apr 2026 18:16:54 +0800 Subject: [PATCH] ci: add CodeQL code scanning workflow Add CodeQL security analysis with the security-extended query suite. Runs on PRs, pushes to main, and weekly schedule (catches new vulnerability patterns in existing code). Uses autobuild mode (pure Go, no native dependencies). Results appear in the repository's Security tab under Code scanning. --- .github/workflows/codeql.yml | 36 ++++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100644 .github/workflows/codeql.yml diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 0000000..33057b5 --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,36 @@ +name: CodeQL + +on: + push: + branches: [main] + pull_request: + branches: [main] + schedule: + - cron: "23 4 * * 1" # Monday 4:23 UTC (12:23 AWST) + +permissions: + contents: read + security-events: write + +jobs: + analyze: + name: Analyze (Go) + runs-on: ubuntu-latest + timeout-minutes: 30 + + steps: + - name: Checkout repository + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + + - name: Initialize CodeQL + uses: github/codeql-action/init@c10b8064de6f491fea524254123dbe5e09572f13 # v4 + with: + languages: go + build-mode: autobuild + queries: security-extended + dependency-caching: true + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@c10b8064de6f491fea524254123dbe5e09572f13 # v4 + with: + category: "/language:go"