generic/.github/workflows/codeql.yml

name: "CodeQL"

on:
  push:
    branches: ["main"]
  pull_request:
    # The branches below must be a subset of the branches above
    branches: ["main"]
  schedule:
    - cron: "0 0 * * 1"

permissions:
  contents: read

jobs:
  analyze:
    name: Analyze
    runs-on: ubuntu-latest
    permissions:
      actions: read
      contents: read
      security-events: write

    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
        with:
          egress-policy: audit

      - name: Checkout repository
        uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2

      # Initializes the CodeQL tools for scanning.
      - name: Initialize CodeQL
        uses: github/codeql-action/init@05963f47d870e2cb19a537396c1f668a348c7d8f # v3.24.8
        with:
          languages: python

      - name: Perform CodeQL Analysis
        uses: github/codeql-action/analyze@05963f47d870e2cb19a537396c1f668a348c7d8f # v3.24.8
        with:
          category: "/language:python"
[StepSecurity] Apply security best practices Signed-off-by: StepSecurity Bot <bot@stepsecurity.io> 2023-07-02 16:39:46 +00:00			`name: "CodeQL"`

			`on:`
			`push:`
			`branches: ["main"]`
			`pull_request:`
			`# The branches below must be a subset of the branches above`
			`branches: ["main"]`
			`schedule:`
			`- cron: "0 0 * * 1"`

			`permissions:`
			`contents: read`

			`jobs:`
			`analyze:`
			`name: Analyze`
			`runs-on: ubuntu-latest`
			`permissions:`
			`actions: read`
			`contents: read`
			`security-events: write`

			`steps:`
			`- name: Harden Runner`
Bump step-security/harden-runner from 2.6.1 to 2.7.0 (#479) Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 2.6.1 to 2.7.0. - [Release notes](https://github.com/step-security/harden-runner/releases) - [Commits](https://github.com/step-security/harden-runner/compare/eb238b55efaa70779f274895e782ed17c84f2895...63c24ba6bd7ba022e95695ff85de572c04a18142) --- updated-dependencies: - dependency-name: step-security/harden-runner dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> 2024-01-31 18:46:21 -05:00			`uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0`
[StepSecurity] Apply security best practices Signed-off-by: StepSecurity Bot <bot@stepsecurity.io> 2023-07-02 16:39:46 +00:00			`with:`
			`egress-policy: audit`

			`- name: Checkout repository`
Bump the github-action-updates group with 2 updates (#502) Bumps the github-action-updates group with 2 updates: [actions/checkout](https://github.com/actions/checkout) and [github/codeql-action](https://github.com/github/codeql-action). Updates `actions/checkout` from 4.1.1 to 4.1.2 - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/b4ffde65f46336ab88eb53be808477a3936bae11...9bb56186c3b09b4f86b1c65136769dd318469633) Updates `github/codeql-action` from 3.24.6 to 3.24.8 - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/8a470fddafa5cbb6266ee11b37ef4d8aae19c571...05963f47d870e2cb19a537396c1f668a348c7d8f) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-action-updates - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-action-updates ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> 2024-03-18 16:05:37 -04:00			`uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2`
[StepSecurity] Apply security best practices Signed-off-by: StepSecurity Bot <bot@stepsecurity.io> 2023-07-02 16:39:46 +00:00
			`# Initializes the CodeQL tools for scanning.`
			`- name: Initialize CodeQL`
Bump the github-action-updates group with 2 updates (#502) Bumps the github-action-updates group with 2 updates: [actions/checkout](https://github.com/actions/checkout) and [github/codeql-action](https://github.com/github/codeql-action). Updates `actions/checkout` from 4.1.1 to 4.1.2 - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/b4ffde65f46336ab88eb53be808477a3936bae11...9bb56186c3b09b4f86b1c65136769dd318469633) Updates `github/codeql-action` from 3.24.6 to 3.24.8 - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/8a470fddafa5cbb6266ee11b37ef4d8aae19c571...05963f47d870e2cb19a537396c1f668a348c7d8f) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-action-updates - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-action-updates ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> 2024-03-18 16:05:37 -04:00			`uses: github/codeql-action/init@05963f47d870e2cb19a537396c1f668a348c7d8f # v3.24.8`
[StepSecurity] Apply security best practices Signed-off-by: StepSecurity Bot <bot@stepsecurity.io> 2023-07-02 16:39:46 +00:00			`with:`
Don't run autobuild with CodeQL 2023-07-02 13:21:48 -04:00			`languages: python`
[StepSecurity] Apply security best practices Signed-off-by: StepSecurity Bot <bot@stepsecurity.io> 2023-07-02 16:39:46 +00:00
			`- name: Perform CodeQL Analysis`
Bump the github-action-updates group with 2 updates (#502) Bumps the github-action-updates group with 2 updates: [actions/checkout](https://github.com/actions/checkout) and [github/codeql-action](https://github.com/github/codeql-action). Updates `actions/checkout` from 4.1.1 to 4.1.2 - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/b4ffde65f46336ab88eb53be808477a3936bae11...9bb56186c3b09b4f86b1c65136769dd318469633) Updates `github/codeql-action` from 3.24.6 to 3.24.8 - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/8a470fddafa5cbb6266ee11b37ef4d8aae19c571...05963f47d870e2cb19a537396c1f668a348c7d8f) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-action-updates - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-action-updates ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> 2024-03-18 16:05:37 -04:00			`uses: github/codeql-action/analyze@05963f47d870e2cb19a537396c1f668a348c7d8f # v3.24.8`
[StepSecurity] Apply security best practices Signed-off-by: StepSecurity Bot <bot@stepsecurity.io> 2023-07-02 16:39:46 +00:00			`with:`
Don't run autobuild with CodeQL 2023-07-02 13:21:48 -04:00			`category: "/language:python"`