Skip to content
CodeQL Security Analysis

ci: make the four required status checks reportable on every PR #1254

Sign in to view logs

ci: make the four required status checks reportable on every PR

ci: make the four required status checks reportable on every PR #1254

Workflow file for this run

.github/workflows/codeql.yml at 6c31a4e
# SPDX-License-Identifier: MPL-2.0
name: CodeQL Security Analysis
on:
push:
branches: [main, master]
# No `branches:` filter: this job emits the required check
# `analyze (actions, none)`, so it must run on PRs against EVERY base —
# a required check whose workflow is filtered out is never created and
# sits forever at "Expected — Waiting for status to be reported".
pull_request:
schedule:
- cron: '0 6 1 * *'
# Estate guardrail: cancel superseded runs so re-pushes / rebased PR
# updates do not pile up queued runs against the shared account-wide
# Actions concurrency pool. Applied only to read-only check workflows
# (no publish/mutation), so cancelling a superseded run is always safe.
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
permissions: read-all
jobs:
analyze:
runs-on: ubuntu-latest
timeout-minutes: 10
permissions:
contents: read
security-events: write
strategy:
fail-fast: false
matrix:
include:
# affinescript is OCaml-only - OCaml not supported by CodeQL
# Using 'actions' to scan GitHub Actions workflow files
- language: actions
build-mode: none
steps:
- name: Checkout
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
- name: Initialize CodeQL
uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v3.28.1
with:
languages: ${{ matrix.language }}
build-mode: ${{ matrix.build-mode }}
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v3.28.1
with:
category: "/language:${{ matrix.language }}"