Skip to content
CodeQL scan

CodeQL scan #6559

Sign in to view logs

CodeQL scan

CodeQL scan #6559

Workflow file for this run

.github/workflows/codeql.yaml at 51c6da4
name: "CodeQL scan"
on:
schedule:
- cron: "0 0 * * *"
push:
branches: ["develop", "release/**"]
pull_request:
branches: ["develop", "release/**"]
permissions: {}
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.event.after }}
cancel-in-progress: true
jobs:
check_paths:
name: Check which language should be analyzed by CodeQL
runs-on: ubuntu-latest
if: github.event_name == 'pull_request'
outputs:
run_python: "${{ steps.prepare_outputs.outputs.run_python }}"
run_javascript_typescript: "${{ steps.prepare_outputs.outputs.run_javascript_typescript }}"
run_actions: "${{ steps.prepare_outputs.outputs.run_actions }}"
run_rust: "${{ steps.prepare_outputs.outputs.run_rust }}"
steps:
- name: Checkout repository
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
with:
persist-credentials: false
- name: Get all paths that should trigger the workflow
id: changed-files-yaml
uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
with:
files_yaml: |
python:
- application/backend/**
- library/**
rust:
- application/ui/**
javascript-typescript:
- application/ui/**
actions:
- .github/**
- name: Prepare outputs
id: prepare_outputs
env:
PYTHON_ANY_CHANGED: ${{ steps.changed-files-yaml.outputs.python_any_changed }}
JAVASCRIPT_ANY_CHANGED: ${{ steps.changed-files-yaml.outputs.javascript-typescript_any_changed }}
ACTIONS_ANY_CHANGED: ${{ steps.changed-files-yaml.outputs.actions_any_changed }}
RUST_ANY_CHANGED: ${{ steps.changed-files-yaml.outputs.rust_any_changed }}
run: |
echo "PYTHON_ANY_CHANGED=$PYTHON_ANY_CHANGED"
if [ "$PYTHON_ANY_CHANGED" = "true" ]; then
echo "run_python=true" >> "$GITHUB_OUTPUT"
else
echo "run_python=false" >> "$GITHUB_OUTPUT"
fi
echo "JAVASCRIPT_ANY_CHANGED=$JAVASCRIPT_ANY_CHANGED"
if [ "$JAVASCRIPT_ANY_CHANGED" = "true" ]; then
echo "run_javascript_typescript=true" >> "$GITHUB_OUTPUT"
else
echo "run_javascript_typescript=false" >> "$GITHUB_OUTPUT"
fi
echo "ACTIONS_ANY_CHANGED=$ACTIONS_ANY_CHANGED"
if [ "$ACTIONS_ANY_CHANGED" = "true" ]; then
echo "run_actions=true" >> "$GITHUB_OUTPUT"
else
echo "run_actions=false" >> "$GITHUB_OUTPUT"
fi
echo "RUST_ANY_CHANGED=$RUST_ANY_CHANGED"
if [ "$RUST_ANY_CHANGED" = "true" ]; then
echo "run_rust=true" >> "$GITHUB_OUTPUT"
else
echo "run_rust=false" >> "$GITHUB_OUTPUT"
fi
analyze:
name: Analyze (${{ matrix.language }})
runs-on: ubuntu-latest
permissions:
security-events: write # required to publish sarif
needs: check_paths
strategy:
fail-fast: false
matrix:
include:
- language: actions
build-mode: none
run: ${{ needs.check_paths.outputs.run_actions || 'true' }}
- language: python
build-mode: none
run: ${{ needs.check_paths.outputs.run_python || 'true' }}
- language: javascript-typescript
build-mode: none
run: ${{ needs.check_paths.outputs.run_javascript_typescript || 'true' }}
- language: rust
build-mode: none
run: ${{ needs.check_paths.outputs.run_rust || 'true' }}
steps:
- name: Checkout repository
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
with:
persist-credentials: false
# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@1b168cd39490f61582a9beae412bb7057a6b2c4e # v4.31.8
if: ${{ matrix.run == 'true' }}
with:
languages: ${{ matrix.language }}
build-mode: ${{ matrix.build-mode }}
queries: security-extended
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@1b168cd39490f61582a9beae412bb7057a6b2c4e # v4.31.8
if: ${{ matrix.run == 'true' }}
with:
category: "/language:${{matrix.language}}"