Skip to content
CodeQL

ci: bump the actions-all group across 1 directory with 4 updates #3

Sign in to view logs

ci: bump the actions-all group across 1 directory with 4 updates

ci: bump the actions-all group across 1 directory with 4 updates #3

Workflow file for this run

.github/workflows/codeql.yml at 6e87887
name: CodeQL
# Static application security testing (SAST) for the Python sources across
# all workspace packages. Runs CodeQL's security-extended query suite on
# pull requests, pushes to main, and a weekly schedule, uploading results
# to the GitHub Security tab.
#
# Closes the OpenSSF Scorecard "SAST" gap: CodeQL statically analyzes the
# first-party source, complementing the dependency-vulnerability scanning
# (pip-audit) that runs separately.
on:
push:
branches:
- main
pull_request:
branches:
- main
schedule:
# Wednesdays 06:00 UTC
- cron: "0 6 * * 3"
workflow_dispatch:
permissions:
contents: read
jobs:
analyze:
name: Analyze (python)
# Code scanning (SARIF upload) requires GitHub Code Security, which is
# only available on public repos. Gate on visibility so the job only
# runs when the repo is public.
if: ${{ github.event.repository.visibility == 'public' }}
runs-on: ubuntu-latest
permissions:
# Required for CodeQL to upload its SARIF results to code scanning.
security-events: write
contents: read
actions: read
steps:
- name: Checkout
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
# build-mode: none — CodeQL analyzes Python sources directly, no
# compilation step required.
- name: Initialize CodeQL
uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
with:
languages: python
build-mode: none
queries: security-extended
- name: Perform CodeQL analysis
uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
with:
category: "/language:python"