| name: "CodeQL" |
| |
| on: |
| push: |
| branches: ["master", "[0-9].[0-9]*"] |
| pull_request: |
| # The branches below must be a subset of the branches above |
| branches: ["master"] |
| schedule: |
| - cron: "0 4 * * *" |
| |
| # cancel previous workflow jobs for PRs |
| concurrency: |
| group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.run_id }} |
| cancel-in-progress: true |
| |
| jobs: |
| analyze: |
| name: Analyze |
| runs-on: ubuntu-24.04 |
| permissions: |
| actions: read |
| contents: read |
| security-events: write |
| |
| strategy: |
| fail-fast: false |
| matrix: |
| language: ["python", "javascript"] |
| # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support |
| |
| steps: |
| - name: Checkout repository |
| uses: actions/checkout@v5 |
| |
| - name: Check for file changes |
| id: check |
| uses: ./.github/actions/change-detector/ |
| with: |
| token: ${{ secrets.GITHUB_TOKEN }} |
| |
| # Initializes the CodeQL tools for scanning. |
| - name: Initialize CodeQL |
| uses: github/codeql-action/init@v3 |
| with: |
| languages: ${{ matrix.language }} |
| # If you wish to specify custom queries, you can do so here or in a config file. |
| # By default, queries listed here will override any specified in a config file. |
| # Prefix the list here with "+" to use these queries and those in the config file. |
| |
| # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs |
| # queries: security-extended,security-and-quality |
| |
| - name: Perform CodeQL Analysis |
| if: steps.check.outputs.python || steps.check.outputs.frontend |
| uses: github/codeql-action/analyze@v3 |
| with: |
| category: "/language:${{matrix.language}}" |
