-
Notifications
You must be signed in to change notification settings - Fork 0
55 lines (49 loc) · 1.83 KB
/
Copy pathcodeql.yml
File metadata and controls
55 lines (49 loc) · 1.83 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
# CodeQL — advanced setup (replaces GitHub "default setup").
#
# Scopes analysis to the languages that matter here — Rust, JS/TS, GitHub
# Actions — dropping Python (no first-party Python) and the redundant
# javascript / typescript duplicates the default setup had enabled.
#
# NOTE on Rust: CodeQL analyses Rust in build-mode none (buildless) — the only
# supported / GA mode for Rust (GA since Oct 2025). On this macro-heavy codebase
# (Axum, SeaORM, sqlx, serde derives) buildless extraction can't see
# macro-generated code, so the "Low Rust analysis quality" status warning
# (~44% calls resolved) is EXPECTED and informational — 0 real alerts. It is NOT
# fixable by configuration; it improves only as CodeQL's upstream Rust
# resolution improves. (cargo fetch + extract_dependencies_as_source were
# measured and changed nothing, so they're intentionally absent.)
#
# IMPORTANT: the repo's "default setup" must stay OFF — default + advanced
# cannot coexist: Settings → Code security → "CodeQL analysis" → advanced.
name: "CodeQL"
on:
push:
branches: ["main"]
pull_request:
branches: ["main"]
schedule:
- cron: "23 21 * * 1" # weekly, Monday 21:23 UTC
jobs:
analyze:
name: Analyze (${{ matrix.language }})
runs-on: ubuntu-latest
permissions:
security-events: write
contents: read
actions: read
strategy:
fail-fast: false
matrix:
language: ["rust", "javascript-typescript", "actions"]
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: ${{ matrix.language }}
build-mode: none
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
with:
category: "/language:${{ matrix.language }}"