| # Licensed to the Apache Software Foundation (ASF) under one |
| # or more contributor license agreements. See the NOTICE file |
| # distributed with this work for additional information |
| # regarding copyright ownership. The ASF licenses this file |
| # to you under the Apache License, Version 2.0 (the |
| # "License"); you may not use this file except in compliance |
| # with the License. You may obtain a copy of the License at |
| # |
| # http://www.apache.org/licenses/LICENSE-2.0 |
| # |
| # Unless required by applicable law or agreed to in writing, software |
| # distributed under the License is distributed on an "AS IS" BASIS, |
| # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| # See the License for the specific language governing permissions and |
| # limitations under the License. |
| |
| # CodeQL static analysis for Java. Runs on PRs to long-lived branches and |
| # weekly on a schedule. Findings appear in the Security tab; the workflow |
| # also produces a status check on PRs so reviewers see the badge. |
| # |
| # Third-party actions are SHA-pinned per SECURITY.md. |
| |
| name: CodeQL |
| |
| on: |
| push: |
| branches: [ main, master, trunk ] |
| pull_request: |
| branches: [ main, master, trunk ] |
| schedule: |
| # Mondays 07:17 UTC -- off the hour to dodge the GHA traffic spike. |
| - cron: '17 7 * * 1' |
| |
| permissions: |
| contents: read |
| |
| concurrency: |
| # Group PRs by PR number (cancellable on synchronize); pushes/cron by |
| # ref (queued, never canceled). |
| group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} |
| cancel-in-progress: ${{ github.event_name == 'pull_request' }} |
| |
| jobs: |
| analyze: |
| name: Analyze (java) |
| runs-on: ubuntu-latest |
| timeout-minutes: 30 |
| permissions: |
| # Required for the analyze step to upload SARIF to the Security tab. |
| security-events: write |
| # Needed by some private-repo paths; harmless on public repos. |
| actions: read |
| contents: read |
| |
| steps: |
| - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 |
| with: |
| persist-credentials: false |
| - name: Set up JDK |
| uses: actions/setup-java@1bcf9fb12cf4aa7d266a90ae39939e61372fe520 # v5.4.0 |
| with: |
| java-version: '17' |
| distribution: 'temurin' |
| |
| - name: Initialize CodeQL |
| uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2 |
| with: |
| languages: java-kotlin |
| # Default + security-extended queries. Add security-and-quality if |
| # noise stays manageable. |
| queries: security-extended |
| |
| - name: Build with Maven |
| run: mvn -B -DskipTests package |
| |
| - name: Perform CodeQL analysis |
| uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2 |
| with: |
| category: "/language:java-kotlin" |