Merge branch 'main' into feat/14-contrib-viper #1185
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # CodeQL advanced setup. Replaces default-setup once disabled in repo settings. | ||
|
Check failure on line 1 in .github/workflows/codeql.yml
|
||
| # Advanced unlocks paths-ignore (skip generated code) and Go module caching | ||
| # across runs — projected ~1-2 min faster vs default-setup. | ||
| # | ||
| # Go analysis runs on push-to-main and weekly schedule only — not on PRs. | ||
| # Per-PR vulnerability coverage is handled by govulncheck (ci.yml). This avoids | ||
| # a ~5 min wall-clock hit from autobuild on every code PR. | ||
| # Actions and Python analyzers still run on PRs (both are fast, < 1 min). | ||
| name: CodeQL | ||
| on: | ||
| pull_request: | ||
| branches: [main] | ||
| paths-ignore: | ||
| - "api/centralconfig/v1/**" | ||
| - "internal/storage/dbstore/*.gen.go" | ||
| - "**/*.md" | ||
| push: | ||
| branches: [main] | ||
| schedule: | ||
| - cron: "23 7 * * 1" | ||
| concurrency: | ||
| group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }} | ||
| cancel-in-progress: true | ||
| permissions: | ||
| contents: read | ||
| jobs: | ||
| analyze: | ||
| name: Analyze (${{ matrix.language }}) | ||
| runs-on: ubuntu-latest | ||
| timeout-minutes: 15 | ||
| # Go autobuild takes ~5 min; skip it on PRs — govulncheck covers per-PR vuln | ||
| # scanning. Actions and Python are fast (< 1 min) and still run on PRs. | ||
| if: matrix.language != 'go' || github.event_name != 'pull_request' | ||
| permissions: | ||
| security-events: write | ||
| packages: read | ||
| actions: read | ||
| contents: read | ||
| strategy: | ||
| fail-fast: false | ||
| matrix: | ||
| include: | ||
| - language: actions | ||
| build-mode: none | ||
| - language: go | ||
| build-mode: autobuild | ||
| - language: python | ||
| build-mode: none | ||
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@v6 | ||
| with: | ||
| persist-credentials: false | ||
| - name: Set up Go | ||
| if: matrix.language == 'go' | ||
| uses: actions/setup-go@v6 | ||
| with: | ||
| go-version-file: go.mod | ||
| cache: true | ||
| - name: Initialize CodeQL | ||
| uses: github/codeql-action/init@v4 | ||
| with: | ||
| languages: ${{ matrix.language }} | ||
| build-mode: ${{ matrix.build-mode }} | ||
| config: | | ||
| paths-ignore: | ||
| - api/centralconfig/v1/** | ||
| - internal/storage/dbstore/*.gen.go | ||
| - name: Analyze | ||
| uses: github/codeql-action/analyze@v4 | ||
| with: | ||
| category: "/language:${{ matrix.language }}" | ||
