CodeQL #28
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CodeQL | |
| # This is the project's authoritative CodeQL configuration. If GitHub's | |
| # default-config CodeQL is also enabled (Settings -> Code security -> | |
| # Code scanning -> CodeQL analysis -> "Default"), every PR will run two | |
| # identical scans and bill twice. Set the default to "None" or "Custom" | |
| # pointing at this workflow to dedupe. | |
| on: | |
| push: | |
| branches: [main] | |
| pull_request: | |
| branches: [main] | |
| schedule: | |
| # Weekly on Monday at 06:00 UTC. Catches new query updates and any | |
| # vulnerabilities introduced via dependencies that no PR-time scan | |
| # would have surfaced. | |
| - cron: "0 6 * * 1" | |
| permissions: read-all | |
| jobs: | |
| analyze: | |
| name: Analyze | |
| runs-on: ubuntu-24.04 | |
| timeout-minutes: 30 | |
| permissions: | |
| security-events: write | |
| contents: read | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: Set up Go | |
| uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 | |
| with: | |
| go-version: "1.26.3" | |
| cache: true | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2 | |
| with: | |
| languages: go | |
| # Manual build mode. Autobuild runs `make` (default target = | |
| # `all` = `build test lint`), which on a fresh CI checkout | |
| # tripped the make build → check-ui-embed gate because | |
| # internal/ui/dist/ is gitignored except for .gitkeep and | |
| # `make ui` hasn't run. CodeQL only needs Go to compile for | |
| # type tracing; it doesn't need a working portal. Building | |
| # via `go build ./...` matches what the CI Build job does | |
| # (ci.yml step "Build") and decouples CodeQL from any | |
| # future Makefile prerequisite changes. | |
| build-mode: manual | |
| # security-and-quality bundles the security pack with style / | |
| # correctness rules. Project-specific query exclusions live | |
| # in the config-file; findings post to the repo's Security tab. | |
| config-file: ./.github/codeql/codeql-config.yml | |
| - name: Build | |
| run: go build -v ./... | |
| - name: Perform CodeQL Analysis | |
| uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2 | |
| with: | |
| category: "/language:go" |