diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 0000000000000..0b7b627cca81e --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,70 @@ +name: codeql + +# Default to 'contents: read', which grants actions to read commits. +# +# If any permission is set, any permission not included in the list is +# implicitly set to "none". +# +# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions +permissions: + contents: read + +on: + push: + branches: + - 'master' + - '[0-9]+.[0-9]+' + tags: + - 'v*' + pull_request: + # The branches below must be a subset of the branches above + branches: ["master"] + schedule: + # ┌───────────── minute (0 - 59) + # │ ┌───────────── hour (0 - 23) + # │ │ ┌───────────── day of the month (1 - 31) + # │ │ │ ┌───────────── month (1 - 12) + # │ │ │ │ ┌───────────── day of the week (0 - 6) (Sunday to Saturday) + # │ │ │ │ │ + # │ │ │ │ │ + # │ │ │ │ │ + # * * * * * + - cron: '0 9 * * 4' + +jobs: + codeql: + runs-on: ubuntu-24.04 + timeout-minutes: 10 + permissions: + actions: read + contents: read + security-events: write + + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + fetch-depth: 2 + # CodeQL 2.16.4's auto-build added support for multi-module repositories, + # and is trying to be smart by searching for modules in every directory, + # including vendor directories. If no module is found, it's creating one + # which is ... not what we want, so let's give it a "go.mod". + # see: https://github.com/docker/cli/pull/4944#issuecomment-2002034698 + - name: Create go.mod + run: | + ln -s vendor.mod go.mod + ln -s vendor.sum go.sum + - name: Update Go + uses: actions/setup-go@v5 + with: + go-version: 1.22.7 + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: go + - name: Autobuild + uses: github/codeql-action/autobuild@v3 + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v3 + with: + category: "/language:go"