name: 'API: CodeQL' on: push: branches: - 'master' - 'v5.*' paths: - 'api/**' - '.github/workflows/api-codeql.yml' - '.github/codeql/api-codeql-config.yml' pull_request: branches: - 'master' - 'v5.*' paths: - 'api/**' - '.github/workflows/api-codeql.yml' - '.github/codeql/api-codeql-config.yml' schedule: - cron: '00 12 * * *' concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true permissions: {} jobs: api-analyze: name: CodeQL Security Analysis runs-on: ubuntu-latest timeout-minutes: 30 permissions: actions: read contents: read security-events: write strategy: fail-fast: false matrix: language: - 'python' steps: - name: Harden Runner uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: egress-policy: block allowed-endpoints: > api.github.com:443 github.com:443 release-assets.githubusercontent.com:443 uploads.github.com:443 release-assets.githubusercontent.com:443 objects.githubusercontent.com:443 - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Initialize CodeQL uses: github/codeql-action/init@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4.35.4 with: languages: ${{ matrix.language }} config-file: ./.github/codeql/api-codeql-config.yml - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4.35.4 with: category: '/language:${{ matrix.language }}'