systemd/.github/workflows/codeql-analysis.yml

---
# vi: ts=2 sw=2 et:
# SPDX-License-Identifier: LGPL-2.1-or-later
#
name: "CodeQL"

on:
  pull_request:
    branches: [main]
  # It takes the workflow approximately 30 minutes to analyze the code base
  # so it doesn't seem to make much sense to trigger it on every PR or commit.
  # It runs daily at 01:00 to avoid colliding with the Coverity workflow.
  schedule:
    - cron: '0 1 * * *'

permissions:
  contents: read

jobs:
  analyze:
    name: Analyze
    runs-on: ubuntu-latest
    if: github.event_name == 'schedule' || github.event.pull_request.user.login == 'dependabot[bot]'
    concurrency:
      group: ${{ github.workflow }}-${{ matrix.language }}-${{ github.ref }}
      cancel-in-progress: true
    permissions:
      actions: read
      security-events: write

    strategy:
      fail-fast: false
      matrix:
        language: [ 'cpp', 'python' ]

    steps:
    - name: Checkout repository
      uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579

    - name: Initialize CodeQL
      uses: github/codeql-action/init@546b30f35ae5a3db0e0be1843008c2224f71c3b0
      with:
        languages: ${{ matrix.language }}

    - run: sudo -E .github/workflows/unit_tests.sh SETUP

    - name: Autobuild
      uses: github/codeql-action/autobuild@546b30f35ae5a3db0e0be1843008c2224f71c3b0

    - name: Perform CodeQL Analysis
      uses: github/codeql-action/analyze@546b30f35ae5a3db0e0be1843008c2224f71c3b0
ci: LGPLv2+ify dependapot config and codeql action 2021-11-14 09:37:54 +00:00			`---`
			`# vi: ts=2 sw=2 et:`
			`# SPDX-License-Identifier: LGPL-2.1-or-later`
			`#`
ci: run codeql-analysis daily https://github.com/github/codeql-action Apparently to judge from a couple of warnings I haven't seen before it's a bit different from LGTM. 2021-11-10 23:02:05 +00:00			`name: "CodeQL"`

			`on:`
ci: run codeql on PRs from Dependabot To make sure PRs like https://github.com/systemd/systemd/pull/21409 don't break anything. 2021-11-16 10:46:16 +00:00			`pull_request:`
			`branches: [main]`
ci: run codeql-analysis daily https://github.com/github/codeql-action Apparently to judge from a couple of warnings I haven't seen before it's a bit different from LGTM. 2021-11-10 23:02:05 +00:00			`# It takes the workflow approximately 30 minutes to analyze the code base`
			`# so it doesn't seem to make much sense to trigger it on every PR or commit.`
			`# It runs daily at 01:00 to avoid colliding with the Coverity workflow.`
			`schedule:`
			`- cron: '0 1 * * *'`

ci: tighten codeql and labeler even more by moving the read permissions to the top level and granting additional permissions to the specific jobs. It should help to prevent new jobs that could be added there eventually from having write access to resources they most likely would never need. 2021-11-14 09:41:42 +00:00			`permissions:`
			`contents: read`

ci: run codeql-analysis daily https://github.com/github/codeql-action Apparently to judge from a couple of warnings I haven't seen before it's a bit different from LGTM. 2021-11-10 23:02:05 +00:00			`jobs:`
			`analyze:`
			`name: Analyze`
			`runs-on: ubuntu-latest`
ci: run codeql on PRs from Dependabot To make sure PRs like https://github.com/systemd/systemd/pull/21409 don't break anything. 2021-11-16 10:46:16 +00:00			`if: github.event_name == 'schedule' \|\| github.event.pull_request.user.login == 'dependabot[bot]'`
ci: run codeql-analysis daily https://github.com/github/codeql-action Apparently to judge from a couple of warnings I haven't seen before it's a bit different from LGTM. 2021-11-10 23:02:05 +00:00			`concurrency:`
			`group: ${{ github.workflow }}-${{ matrix.language }}-${{ github.ref }}`
			`cancel-in-progress: true`
			`permissions:`
			`actions: read`
			`security-events: write`

			`strategy:`
			`fail-fast: false`
			`matrix:`
			`language: [ 'cpp', 'python' ]`

			`steps:`
			`- name: Checkout repository`
build(deps): bump actions/checkout from 2 to 2.4.0 Bumps [actions/checkout](https://github.com/actions/checkout) from 2 to 2.4.0. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/v2...ec3a7ce113134d7a93b817d10a8272cb61118579) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> 2021-11-13 09:36:24 +00:00			`uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579`
ci: run codeql-analysis daily https://github.com/github/codeql-action Apparently to judge from a couple of warnings I haven't seen before it's a bit different from LGTM. 2021-11-10 23:02:05 +00:00
			`- name: Initialize CodeQL`
build(deps): bump github/codeql-action from 1.0.24 to 1.0.25 Bumps [github/codeql-action](https://github.com/github/codeql-action) from 1.0.24 to 1.0.25. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/e095058bfa09de8070f94e98f5dc059531bc6235...546b30f35ae5a3db0e0be1843008c2224f71c3b0) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> 2021-12-06 21:17:32 +00:00			`uses: github/codeql-action/init@546b30f35ae5a3db0e0be1843008c2224f71c3b0`
ci: run codeql-analysis daily https://github.com/github/codeql-action Apparently to judge from a couple of warnings I haven't seen before it's a bit different from LGTM. 2021-11-10 23:02:05 +00:00			`with:`
			`languages: ${{ matrix.language }}`

			`- run: sudo -E .github/workflows/unit_tests.sh SETUP`

			`- name: Autobuild`
build(deps): bump github/codeql-action from 1.0.24 to 1.0.25 Bumps [github/codeql-action](https://github.com/github/codeql-action) from 1.0.24 to 1.0.25. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/e095058bfa09de8070f94e98f5dc059531bc6235...546b30f35ae5a3db0e0be1843008c2224f71c3b0) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> 2021-12-06 21:17:32 +00:00			`uses: github/codeql-action/autobuild@546b30f35ae5a3db0e0be1843008c2224f71c3b0`
ci: run codeql-analysis daily https://github.com/github/codeql-action Apparently to judge from a couple of warnings I haven't seen before it's a bit different from LGTM. 2021-11-10 23:02:05 +00:00
			`- name: Perform CodeQL Analysis`
build(deps): bump github/codeql-action from 1.0.24 to 1.0.25 Bumps [github/codeql-action](https://github.com/github/codeql-action) from 1.0.24 to 1.0.25. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/e095058bfa09de8070f94e98f5dc059531bc6235...546b30f35ae5a3db0e0be1843008c2224f71c3b0) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> 2021-12-06 21:17:32 +00:00			`uses: github/codeql-action/analyze@546b30f35ae5a3db0e0be1843008c2224f71c3b0`