1
0
mirror of https://github.com/systemd/systemd.git synced 2024-12-23 21:35:11 +03:00
systemd/.github/workflows/codeql-analysis.yml
Evgeny Vereshchagin 510afa460a ci: tighten codeql and labeler even more
by moving the read permissions to the top level and
granting additional permissions to the specific jobs.
It should help to prevent new jobs that could be added
there eventually from having write access to resources they
most likely would never need.
2021-11-14 10:51:07 +00:00

49 lines
1.3 KiB
YAML

---
# vi: ts=2 sw=2 et:
# SPDX-License-Identifier: LGPL-2.1-or-later
#
name: "CodeQL"
on:
# It takes the workflow approximately 30 minutes to analyze the code base
# so it doesn't seem to make much sense to trigger it on every PR or commit.
# It runs daily at 01:00 to avoid colliding with the Coverity workflow.
schedule:
- cron: '0 1 * * *'
permissions:
contents: read
jobs:
analyze:
name: Analyze
runs-on: ubuntu-latest
concurrency:
group: ${{ github.workflow }}-${{ matrix.language }}-${{ github.ref }}
cancel-in-progress: true
permissions:
actions: read
security-events: write
strategy:
fail-fast: false
matrix:
language: [ 'cpp', 'python' ]
steps:
- name: Checkout repository
uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579
- name: Initialize CodeQL
uses: github/codeql-action/init@5581e08a65fc3811c3ac78939dd59e7a8adbf003
with:
languages: ${{ matrix.language }}
- run: sudo -E .github/workflows/unit_tests.sh SETUP
- name: Autobuild
uses: github/codeql-action/autobuild@5581e08a65fc3811c3ac78939dd59e7a8adbf003
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@5581e08a65fc3811c3ac78939dd59e7a8adbf003