Devel #1899
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: "CodeQL" | |
on: | |
push: | |
branches: [ "master", "devel", "codeql" ] | |
paths-ignore: | |
- 'docs/**' | |
pull_request: | |
branches: [ "master", "devel" ] | |
schedule: | |
- cron: "14 21 * * 5" | |
# run only the latest instance of this workflow job for the current branch/PR | |
# cancel older runs | |
# fall back to run id if not available (run id is unique -> no cancellations) | |
concurrency: | |
group: ci-${{ github.ref || github.run_id }}-${{ github.workflow }} | |
cancel-in-progress: true | |
jobs: | |
analyze: | |
name: Analyze | |
runs-on: ubuntu-latest | |
permissions: | |
actions: read | |
contents: read | |
security-events: write | |
strategy: | |
fail-fast: false | |
matrix: | |
language: [ python ] | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 100 | |
- name: Initialize CodeQL | |
uses: github/codeql-action/init@v3 | |
with: | |
languages: ${{ matrix.language }} | |
queries: +security-and-quality | |
- name: Autobuild | |
uses: github/codeql-action/autobuild@v3 | |
- name: Pip cache cleanup | |
shell: bash | |
# CODEQL_PYTHON is only defined if dependencies were installed [0] | |
# [0] https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning?learn=code_security_actions&learnProduct=code-security#analyzing-python-dependencies | |
if: ${{ env.CODEQL_PYTHON != '' }} | |
run: | | |
$CODEQL_PYTHON -m pip cache info | |
$CODEQL_PYTHON -m pip cache purge | |
- name: Perform CodeQL Analysis | |
uses: github/codeql-action/analyze@v3 | |
with: | |
category: "/language:${{ matrix.language }}" |