name: codeql # Default to 'contents: read', which grants actions to read commits. # # If any permission is set, any permission not included in the list is # implicitly set to "none". # # see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions permissions: contents: read on: push: branches: - 'master' - '[0-9]+.[0-9]+' tags: - 'v*' pull_request: # The branches below must be a subset of the branches above branches: [ "master" ] schedule: # ┌───────────── minute (0 - 59) # │ ┌───────────── hour (0 - 23) # │ │ ┌───────────── day of the month (1 - 31) # │ │ │ ┌───────────── month (1 - 12) # │ │ │ │ ┌───────────── day of the week (0 - 6) (Sunday to Saturday) # │ │ │ │ │ # │ │ │ │ │ # │ │ │ │ │ # * * * * * - cron: '0 9 * * 4' jobs: codeql: runs-on: 'ubuntu-latest' timeout-minutes: 360 env: DISABLE_WARN_OUTSIDE_CONTAINER: '1' permissions: actions: read contents: read security-events: write steps: - name: Checkout uses: actions/checkout@v4 with: fetch-depth: 2 - name: Checkout HEAD on PR if: ${{ github.event_name == 'pull_request' }} run: | git checkout HEAD^2 # CodeQL 2.16.4's auto-build added support for multi-module repositories, # and is trying to be smart by searching for modules in every directory, # including vendor directories. If no module is found, it's creating one # which is ... not what we want, so let's give it a "go.mod". # see: https://github.com/docker/cli/pull/4944#issuecomment-2002034698 - name: Create go.mod run: | ln -s vendor.mod go.mod ln -s vendor.sum go.sum - name: Update Go uses: actions/setup-go@v5 with: go-version: 1.22.7 - name: Initialize CodeQL uses: github/codeql-action/init@v3 with: languages: go - name: Autobuild uses: github/codeql-action/autobuild@v3 - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v3 with: category: "/language:go"