systemd/.github/workflows/codeql-analysis.yml

---
# vi: ts=2 sw=2 et:
# SPDX-License-Identifier: LGPL-2.1-or-later
#
name: "CodeQL"

on:
  pull_request:
    branches: [main]
    paths:
      - .github/codeql-config.yml
      - .github/codeql-custom.qls
      - .github/workflows/codeql-analysis.yml
  # It takes the workflow approximately 30 minutes to analyze the code base
  # so it doesn't seem to make much sense to trigger it on every PR or commit.
  # It runs daily at 01:00 to avoid colliding with the Coverity workflow.
  schedule:
    - cron: '0 1 * * *'

permissions:
  contents: read

jobs:
  analyze:
    name: Analyze
    runs-on: ubuntu-latest
    concurrency:
      group: ${{ github.workflow }}-${{ matrix.language }}-${{ github.ref }}
      cancel-in-progress: true
    permissions:
      actions: read
      security-events: write

    strategy:
      fail-fast: false
      matrix:
        language: [ 'cpp', 'python' ]

    steps:
    - name: Checkout repository
      uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579

    - name: Initialize CodeQL
      uses: github/codeql-action/init@5f532563584d71fdef14ee64d17bafb34f751ce5
      with:
        languages: ${{ matrix.language }}
        config-file: ./.github/codeql-config.yml

    - run: sudo -E .github/workflows/unit_tests.sh SETUP

    - name: Autobuild
      uses: github/codeql-action/autobuild@5f532563584d71fdef14ee64d17bafb34f751ce5

    - name: Perform CodeQL Analysis
      uses: github/codeql-action/analyze@5f532563584d71fdef14ee64d17bafb34f751ce5
ci: LGPLv2+ify dependapot config and codeql action 2021-11-14 12:37:54 +03:00			`---`
			`# vi: ts=2 sw=2 et:`
			`# SPDX-License-Identifier: LGPL-2.1-or-later`
			`#`
ci: run codeql-analysis daily https://github.com/github/codeql-action Apparently to judge from a couple of warnings I haven't seen before it's a bit different from LGTM. 2021-11-11 02:02:05 +03:00			`name: "CodeQL"`

			`on:`
ci: run codeql on PRs from Dependabot To make sure PRs like https://github.com/systemd/systemd/pull/21409 don't break anything. 2021-11-16 13:46:16 +03:00			`pull_request:`
			`branches: [main]`
ci: run the CodeQL action also when its configuration changes Just to make sure we didn't break anything. 2021-12-07 14:18:06 +03:00			`paths:`
			`- .github/codeql-config.yml`
			`- .github/codeql-custom.qls`
			`- .github/workflows/codeql-analysis.yml`
ci: run codeql-analysis daily https://github.com/github/codeql-action Apparently to judge from a couple of warnings I haven't seen before it's a bit different from LGTM. 2021-11-11 02:02:05 +03:00			`# It takes the workflow approximately 30 minutes to analyze the code base`
			`# so it doesn't seem to make much sense to trigger it on every PR or commit.`
			`# It runs daily at 01:00 to avoid colliding with the Coverity workflow.`
			`schedule:`
			`- cron: '0 1 * * *'`

ci: tighten codeql and labeler even more by moving the read permissions to the top level and granting additional permissions to the specific jobs. It should help to prevent new jobs that could be added there eventually from having write access to resources they most likely would never need. 2021-11-14 12:41:42 +03:00			`permissions:`
			`contents: read`

ci: run codeql-analysis daily https://github.com/github/codeql-action Apparently to judge from a couple of warnings I haven't seen before it's a bit different from LGTM. 2021-11-11 02:02:05 +03:00			`jobs:`
			`analyze:`
			`name: Analyze`
			`runs-on: ubuntu-latest`
			`concurrency:`
			`group: ${{ github.workflow }}-${{ matrix.language }}-${{ github.ref }}`
			`cancel-in-progress: true`
			`permissions:`
			`actions: read`
			`security-events: write`

			`strategy:`
			`fail-fast: false`
			`matrix:`
			`language: [ 'cpp', 'python' ]`

			`steps:`
			`- name: Checkout repository`
build(deps): bump actions/checkout from 2 to 2.4.0 Bumps [actions/checkout](https://github.com/actions/checkout) from 2 to 2.4.0. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/v2...ec3a7ce113134d7a93b817d10a8272cb61118579) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> 2021-11-13 12:36:24 +03:00			`uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579`
ci: run codeql-analysis daily https://github.com/github/codeql-action Apparently to judge from a couple of warnings I haven't seen before it's a bit different from LGTM. 2021-11-11 02:02:05 +03:00
			`- name: Initialize CodeQL`
build(deps): bump github/codeql-action from 1.0.25 to 1.0.26 Bumps [github/codeql-action](https://github.com/github/codeql-action) from 1.0.25 to 1.0.26. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/546b30f35ae5a3db0e0be1843008c2224f71c3b0...5f532563584d71fdef14ee64d17bafb34f751ce5) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> 2021-12-13 12:16:01 +03:00			`uses: github/codeql-action/init@5f532563584d71fdef14ee64d17bafb34f751ce5`
ci: run codeql-analysis daily https://github.com/github/codeql-action Apparently to judge from a couple of warnings I haven't seen before it's a bit different from LGTM. 2021-11-11 02:02:05 +03:00			`with:`
			`languages: ${{ matrix.language }}`
ci: sync the list of CodeQL queries with LGTM 2021-12-07 14:06:29 +03:00			`config-file: ./.github/codeql-config.yml`
ci: run codeql-analysis daily https://github.com/github/codeql-action Apparently to judge from a couple of warnings I haven't seen before it's a bit different from LGTM. 2021-11-11 02:02:05 +03:00
			`- run: sudo -E .github/workflows/unit_tests.sh SETUP`

			`- name: Autobuild`
build(deps): bump github/codeql-action from 1.0.25 to 1.0.26 Bumps [github/codeql-action](https://github.com/github/codeql-action) from 1.0.25 to 1.0.26. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/546b30f35ae5a3db0e0be1843008c2224f71c3b0...5f532563584d71fdef14ee64d17bafb34f751ce5) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> 2021-12-13 12:16:01 +03:00			`uses: github/codeql-action/autobuild@5f532563584d71fdef14ee64d17bafb34f751ce5`
ci: run codeql-analysis daily https://github.com/github/codeql-action Apparently to judge from a couple of warnings I haven't seen before it's a bit different from LGTM. 2021-11-11 02:02:05 +03:00
			`- name: Perform CodeQL Analysis`
build(deps): bump github/codeql-action from 1.0.25 to 1.0.26 Bumps [github/codeql-action](https://github.com/github/codeql-action) from 1.0.25 to 1.0.26. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/546b30f35ae5a3db0e0be1843008c2224f71c3b0...5f532563584d71fdef14ee64d17bafb34f751ce5) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> 2021-12-13 12:16:01 +03:00			`uses: github/codeql-action/analyze@5f532563584d71fdef14ee64d17bafb34f751ce5`