From 2be9512991c7ee4638a5c8f0a48bcee815e89a92 Mon Sep 17 00:00:00 2001 From: Ryan Parman Date: Fri, 27 Oct 2023 13:03:49 -0600 Subject: [PATCH] lint: Add CodeQL analysis. --- .github/workflows/codeql.yml | 47 +++++++++++++++++++++++++ .github/workflows/dependency-review.yml | 1 + 2 files changed, 48 insertions(+) create mode 100644 .github/workflows/codeql.yml diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 00000000..e2f3d9af --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,47 @@ +--- +name: CodeQL Analysis + +on: + push: + branches: [main] + pull_request: + # The branches below must be a subset of the branches above + branches: [main] + schedule: + - cron: 0 0 * * 0 + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + strategy: + fail-fast: false + matrix: + language: [go] + + steps: + - name: Harden Runner + uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0 + with: + egress-policy: audit + + - name: Checkout Repository + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + + - name: Initialize CodeQL + uses: github/codeql-action/init@v2 + with: + languages: ${{ matrix.language }} + + - name: Autobuild + uses: github/codeql-action/autobuild@v2 + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v2 + with: + category: /language:${{matrix.language}} diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 13c25a53..464bba95 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -8,6 +8,7 @@ # # Source repository: https://github.com/actions/dependency-review-action name: Dependency Review + on: [pull_request] permissions: