rldyour-opencode/.github/workflows/codeql.yml at main · NDDev-it-com/rldyour-opencode · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
name: CodeQL

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]
  schedule:
    # Weekly Tuesday 04:29 UTC — outside business hours, decoupled from
    # the Monday dependency-check window.
    - cron: "29 4 * * 2"
  workflow_dispatch: {}

permissions:
  contents: read
  # CodeQL v4.36.0 reads workflow-run metadata in the post-processing step
  # that enriches SARIF with run fingerprints (see job log line "Adding
  # fingerprints to SARIF file"). Without `actions: read` the action exits
  # with "Resource not accessible by integration - workflow-runs#get-a-
  # workflow-run" AFTER analysis is already done — the SARIF is correct
  # but the job is marked failed. `actions: read` is the minimum required
  # to let CodeQL inspect its own run; it does NOT widen privileges
  # beyond reading public workflow metadata.
  actions: read
  # Public repositories can publish CodeQL SARIF to GitHub code scanning.
  # `security-events: write` is the least privilege required by CodeQL
  # upload; results then appear as code scanning alerts instead of only as
  # workflow artifacts.
  security-events: write

concurrency:
  group: codeql-${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

jobs:
  analyze:
    name: Analyze (${{ matrix.os }} / ${{ matrix.language }})
    runs-on: ${{ matrix.os }}
    timeout-minutes: 20
    strategy:
      fail-fast: false
      matrix:
        os: [ubuntu-latest]
        language: ["javascript-typescript", "python"]
    steps:
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
      - name: Initialize CodeQL
        uses: github/codeql-action/init@7211b7c8077ea37d8641b6271f6a365a22a5fbfa  # v4.36.0
        with:
          languages: ${{ matrix.language }}
          config-file: ./.github/codeql/codeql-config.yml
      - name: Autobuild
        uses: github/codeql-action/autobuild@7211b7c8077ea37d8641b6271f6a365a22a5fbfa  # v4.36.0
      - name: Analyze
        uses: github/codeql-action/analyze@7211b7c8077ea37d8641b6271f6a365a22a5fbfa  # v4.36.0
        with:
          # Matrix runs upload multiple analyses for the same commit; include
          # both dimensions so code scanning stores each result set separately.
          category: "/os:${{ matrix.os }}/language:${{ matrix.language }}"
          # CodeQL action uploads SARIF to code scanning by default. Keep the
          # local output directory too so the SARIF remains downloadable as a
          # workflow artifact for offline audit/debugging.
          upload-database: false
          output: codeql-results
      - name: Upload CodeQL SARIF artifact
        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a  # v7.0.1
        with:
          name: codeql-${{ matrix.os }}-${{ matrix.language }}-sarif
          path: codeql-results
          if-no-files-found: error
          retention-days: 14