.github/workflows/codeql.yaml - tooling-trusted-releases - Git at Google

 name: CodeQL

 on:
   push:
     branches: [arm, main, sbp]
   pull_request:
     branches: [main]
   schedule:
     # Run every Monday at 5:30 AM UTC
     - cron: '30 5 * * 1'

 jobs:
   analyze:
     name: Analyze
     runs-on: ubuntu-latest

     permissions:
       actions: read
       contents: read
       packages: read
       security-events: write

     strategy:
       fail-fast: false
       matrix:
         include:
           - language: python
             query_suite: security-extended
             suppression_pack: +codeql/python-queries:AlertSuppression.ql
           - language: actions
             query_suite: security-and-quality,security-experimental
             suppression_pack: ""
           - language: javascript-typescript
             query_suite: security-extended
             suppression_pack: ""

     steps:
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
         with:
           persist-credentials: false

       - name: Start CodeQL
         uses: github/codeql-action/init@267c4672a565967e4531438f2498370de5e8a98d
         with:
           languages: ${{ matrix.language }}
           queries: ${{ matrix.query_suite }}
           packs: ${{ matrix.suppression_pack }}
           config-file: ./codeql-config.yml

       - name: Perform CodeQL analysis
         id: analyze
         uses: github/codeql-action/analyze@267c4672a565967e4531438f2498370de5e8a98d
         with:
           category: "/language:${{ matrix.language }}"
           output: sarif-results

       - name: Show SARIF suppressed result statistics
         id: sarif-stats
         run: |
           python - <<'PY'
           import json, os, pathlib
           sarif_dir = pathlib.Path("sarif-results")
           sarif_files = list(sarif_dir.glob("*.sarif"))
           if not sarif_files:
               print("No SARIF files found in sarif-results/")
               raise SystemExit(1)
           p = sarif_files[0]
           data = json.loads(p.read_text())
           results = data["runs"][0].get("results", [])
           suppressed = [r for r in results if r.get("suppressions")]
           print(f"SARIF file: {p}")
           print(f"Total results: {len(results)}")
           print(f"Suppressed results: {len(suppressed)}")
           with open(os.environ["GITHUB_OUTPUT"], "a") as f:
               f.write(f"sarif-file={p}\n")
           PY

       - name: Dismiss alerts of suppressed results
         if: github.ref == 'refs/heads/main'
         uses: advanced-security/dismiss-alerts@046d6b48d2e43cf563f96f67332c47c432eff83e
         with:
           sarif-id: ${{ steps.analyze.outputs.sarif-id }}
           sarif-file: ${{ steps.sarif-stats.outputs.sarif-file }}
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	name: CodeQL

	on:
	push:
	branches: [arm, main, sbp]
	pull_request:
	branches: [main]
	schedule:
	# Run every Monday at 5:30 AM UTC
	- cron: '30 5 * * 1'

	jobs:
	analyze:
	name: Analyze
	runs-on: ubuntu-latest

	permissions:
	actions: read
	contents: read
	packages: read
	security-events: write

	strategy:
	fail-fast: false
	matrix:
	include:
	- language: python
	query_suite: security-extended
	suppression_pack: +codeql/python-queries:AlertSuppression.ql
	- language: actions
	query_suite: security-and-quality,security-experimental
	suppression_pack: ""
	- language: javascript-typescript
	query_suite: security-extended
	suppression_pack: ""

	steps:
	- name: Checkout repository
	uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
	with:
	persist-credentials: false

	- name: Start CodeQL
	uses: github/codeql-action/init@267c4672a565967e4531438f2498370de5e8a98d
	with:
	languages: ${{ matrix.language }}
	queries: ${{ matrix.query_suite }}
	packs: ${{ matrix.suppression_pack }}
	config-file: ./codeql-config.yml

	- name: Perform CodeQL analysis
	id: analyze
	uses: github/codeql-action/analyze@267c4672a565967e4531438f2498370de5e8a98d
	with:
	category: "/language:${{ matrix.language }}"
	output: sarif-results

	- name: Show SARIF suppressed result statistics
	id: sarif-stats
	run: \|
	python - <<'PY'
	import json, os, pathlib
	sarif_dir = pathlib.Path("sarif-results")
	sarif_files = list(sarif_dir.glob("*.sarif"))
	if not sarif_files:
	print("No SARIF files found in sarif-results/")
	raise SystemExit(1)
	p = sarif_files[0]
	data = json.loads(p.read_text())
	results = data["runs"][0].get("results", [])
	suppressed = [r for r in results if r.get("suppressions")]
	print(f"SARIF file: {p}")
	print(f"Total results: {len(results)}")
	print(f"Suppressed results: {len(suppressed)}")
	with open(os.environ["GITHUB_OUTPUT"], "a") as f:
	f.write(f"sarif-file={p}\n")
	PY

	- name: Dismiss alerts of suppressed results
	if: github.ref == 'refs/heads/main'
	uses: advanced-security/dismiss-alerts@046d6b48d2e43cf563f96f67332c47c432eff83e
	with:
	sarif-id: ${{ steps.analyze.outputs.sarif-id }}
	sarif-file: ${{ steps.sarif-stats.outputs.sarif-file }}
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}