Merge pull request #54 from ethanolivertroy/dependabot/github_actions… #20
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CodeQL Security Analysis | |
| on: | |
| push: | |
| branches: [ main ] | |
| pull_request: | |
| branches: [ main ] | |
| schedule: | |
| # Run at 4 AM UTC every Monday | |
| - cron: '0 4 * * 1' | |
| workflow_dispatch: | |
| # Minimal permissions for security | |
| permissions: | |
| contents: read | |
| jobs: | |
| analyze: | |
| name: Analyze Python Code | |
| runs-on: ubuntu-latest | |
| permissions: | |
| actions: read # Read workflow artifacts | |
| contents: read # Read repository contents | |
| security-events: write # Upload SARIF results | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| language: [ 'python' ] | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/init@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9 | |
| with: | |
| languages: ${{ matrix.language }} | |
| # Additional queries to run (optional - adds more security checks) | |
| queries: +security-extended,security-and-quality | |
| # Autobuild attempts to build any compiled languages (C/C++/C#/Go/Java/Swift) | |
| # For Python, this is not needed but we include it for future-proofing | |
| - name: Autobuild | |
| uses: github/codeql-action/autobuild@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9 | |
| - name: Perform CodeQL Analysis | |
| uses: github/codeql-action/analyze@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9 | |
| with: | |
| category: "/language:${{ matrix.language }}" |