mirror of
https://github.com/systemd/systemd.git
synced 2024-12-23 21:35:11 +03:00
510afa460a
by moving the read permissions to the top level and granting additional permissions to the specific jobs. It should help to prevent new jobs that could be added there eventually from having write access to resources they most likely would never need.
49 lines
1.3 KiB
YAML
49 lines
1.3 KiB
YAML
---
|
|
# vi: ts=2 sw=2 et:
|
|
# SPDX-License-Identifier: LGPL-2.1-or-later
|
|
#
|
|
name: "CodeQL"
|
|
|
|
on:
|
|
# It takes the workflow approximately 30 minutes to analyze the code base
|
|
# so it doesn't seem to make much sense to trigger it on every PR or commit.
|
|
# It runs daily at 01:00 to avoid colliding with the Coverity workflow.
|
|
schedule:
|
|
- cron: '0 1 * * *'
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
jobs:
|
|
analyze:
|
|
name: Analyze
|
|
runs-on: ubuntu-latest
|
|
concurrency:
|
|
group: ${{ github.workflow }}-${{ matrix.language }}-${{ github.ref }}
|
|
cancel-in-progress: true
|
|
permissions:
|
|
actions: read
|
|
security-events: write
|
|
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
language: [ 'cpp', 'python' ]
|
|
|
|
steps:
|
|
- name: Checkout repository
|
|
uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579
|
|
|
|
- name: Initialize CodeQL
|
|
uses: github/codeql-action/init@5581e08a65fc3811c3ac78939dd59e7a8adbf003
|
|
with:
|
|
languages: ${{ matrix.language }}
|
|
|
|
- run: sudo -E .github/workflows/unit_tests.sh SETUP
|
|
|
|
- name: Autobuild
|
|
uses: github/codeql-action/autobuild@5581e08a65fc3811c3ac78939dd59e7a8adbf003
|
|
|
|
- name: Perform CodeQL Analysis
|
|
uses: github/codeql-action/analyze@5581e08a65fc3811c3ac78939dd59e7a8adbf003
|