.github/workflows/codeql.yml

# Ref: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/customizing-code-scanning
name: CodeQL

on:
  push:
    branches: [main]
  pull_request:
  workflow_dispatch: # run manually from actions tab

# Set permissions at the job level.
permissions: {}

jobs:
  analyze:
    runs-on: ubuntu-24.04
    permissions:
      actions: read
      contents: read
      security-events: write
    steps:
    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      # Ref: https://github.com/github/codeql-action
    - name: Initialize CodeQL
      uses: github/codeql-action/init@aa578102511db1f4524ed59b8cc2bae4f6e88195 # v3.27.6
      with:
        languages: python
    - name: Perform CodeQL Analysis
      uses: github/codeql-action/analyze@aa578102511db1f4524ed59b8cc2bae4f6e88195 # v3.27.6