zulip/.github/workflows/codeql-analysis.yml

name: "Code scanning"

on:
  push:
    branches: ["*.x", chat.zulip.org, main]
    tags: ["*"]
  pull_request:
    branches: ["*.x", chat.zulip.org, main]
  workflow_dispatch:

concurrency:
  group: "${{ github.workflow }}-${{ github.head_ref || github.run_id }}"
  cancel-in-progress: true

permissions:
  contents: read

jobs:
  CodeQL:
    permissions:
      actions: read # for github/codeql-action/init to get workflow details
      contents: read # for actions/checkout to fetch code
      security-events: write # for github/codeql-action/analyze to upload SARIF results
    if: ${{!github.event.repository.private}}
    runs-on: ubuntu-latest

    steps:
      - name: Check out repository
        uses: actions/checkout@v4

      # Initializes the CodeQL tools for scanning.
      - name: Initialize CodeQL
        uses: github/codeql-action/init@v3

        # Override language selection by uncommenting this and choosing your languages
        # with:
        #   languages: go, javascript, csharp, python, cpp, java

      - name: Perform CodeQL Analysis
        uses: github/codeql-action/analyze@v3
docs: Fix more capitalization issues. Signed-off-by: Anders Kaseorg <anders@zulip.com> 2020-10-23 02:43:28 +02:00			`name: "Code scanning"`
github: Enable new codeql-analysis feature. This file was generated by GitHub's code analysis tutorial; we were just approved from their waitlist. I deleted the part to run compilers as it is not relevant for us. 2020-06-25 20:29:26 +02:00
ci: Do not run CodeQL on Dependabot push events. Signed-off-by: Anders Kaseorg <anders@zulip.com> 2021-08-04 11:34:21 +02:00			`on:`
			`push:`
ci: Avoid duplicate GitHub Actions runs for push, pull_request. We’ve always been running CI on both push events and pull_request events, which means it runs twice for commits that are pushed to a pull request. Filter the push events by branch name. Add the workflow_dispatch event in case developers want to manually run CI on some other branch that isn’t a pull request. https://docs.github.com/en/actions/managing-workflow-runs/manually-running-a-workflow Signed-off-by: Anders Kaseorg <anders@zulip.com> 2022-07-05 23:57:53 +02:00			`branches: ["*.x", chat.zulip.org, main]`
			`tags: ["*"]`
			`pull_request:`
ci: Limit CodeQL analysis with the same branches for push, pull_request. Silences “Warning: 1 issue was detected with this workflow: Please make sure that every branch in on.pull_request is also in on.push so that Code Scanning can compare pull requests against the state of the base branch.” Signed-off-by: Anders Kaseorg <anders@zulip.com> 2022-07-07 22:23:25 +02:00			`branches: ["*.x", chat.zulip.org, main]`
ci: Avoid duplicate GitHub Actions runs for push, pull_request. We’ve always been running CI on both push events and pull_request events, which means it runs twice for commits that are pushed to a pull request. Filter the push events by branch name. Add the workflow_dispatch event in case developers want to manually run CI on some other branch that isn’t a pull request. https://docs.github.com/en/actions/managing-workflow-runs/manually-running-a-workflow Signed-off-by: Anders Kaseorg <anders@zulip.com> 2022-07-05 23:57:53 +02:00			`workflow_dispatch:`
github: Enable new codeql-analysis feature. This file was generated by GitHub's code analysis tutorial; we were just approved from their waitlist. I deleted the part to run compilers as it is not relevant for us. 2020-06-25 20:29:26 +02:00
ci: Replace cancel-previous-runs job with concurrency configuration. Using ‘github.head_ref \|\| github.run_id’ makes this only cancel in-progress jobs for pull_request events. https://docs.github.com/en/actions/using-jobs/using-concurrency Signed-off-by: Anders Kaseorg <anders@zulip.com> 2022-07-05 01:14:47 +02:00			`concurrency:`
			`group: "${{ github.workflow }}-${{ github.head_ref \|\| github.run_id }}"`
			`cancel-in-progress: true`

ci: Limit GitHub token permissions for workflows. This limits the ability for an Action to do mischief with this token. Fixes #22786. Signed-off-by: Varun Sharma <varunsh@stepsecurity.io> 2022-08-30 02:12:55 +02:00			`permissions:`
			`contents: read`

github: Enable new codeql-analysis feature. This file was generated by GitHub's code analysis tutorial; we were just approved from their waitlist. I deleted the part to run compilers as it is not relevant for us. 2020-06-25 20:29:26 +02:00			`jobs:`
minor: Rename codeql workflow names. This makes it so the GitHub displays the runs as "Code Scanning / CodeQL" instead of "Code scanning - actions / CodeQL-Build". 2020-07-07 20:07:13 +02:00			`CodeQL:`
ci: Limit GitHub token permissions for workflows. This limits the ability for an Action to do mischief with this token. Fixes #22786. Signed-off-by: Varun Sharma <varunsh@stepsecurity.io> 2022-08-30 02:12:55 +02:00			`permissions:`
			`actions: read # for github/codeql-action/init to get workflow details`
			`contents: read # for actions/checkout to fetch code`
			`security-events: write # for github/codeql-action/analyze to upload SARIF results`
github: Ignore CodeQL analysis in private repos. CodeQL only runs in public repos; private forks will otherwise error their CI runs. 2021-10-01 01:16:31 +02:00			`if: ${{!github.event.repository.private}}`
github: Enable new codeql-analysis feature. This file was generated by GitHub's code analysis tutorial; we were just approved from their waitlist. I deleted the part to run compilers as it is not relevant for us. 2020-06-25 20:29:26 +02:00			`runs-on: ubuntu-latest`

			`steps:`
docs: Add spaces to “check out”, “log in”, “set up”, “sign up” as verbs. “Checkout”, “login”, “setup”, and “signup” are nouns, not verbs. Signed-off-by: Anders Kaseorg <anders@zulip.com> 2020-10-13 23:50:18 +02:00			`- name: Check out repository`
ci: Upgrade external GitHub actions. Signed-off-by: Anders Kaseorg <anders@zulip.com> 2024-02-22 00:24:18 +01:00			`uses: actions/checkout@v4`
github: Enable new codeql-analysis feature. This file was generated by GitHub's code analysis tutorial; we were just approved from their waitlist. I deleted the part to run compilers as it is not relevant for us. 2020-06-25 20:29:26 +02:00
lint: Reformat YAML files with Prettier. Signed-off-by: Anders Kaseorg <anders@zulip.com> 2020-07-01 21:19:49 +02:00			`# Initializes the CodeQL tools for scanning.`
			`- name: Initialize CodeQL`
ci: Upgrade github/codeql-action. Signed-off-by: Anders Kaseorg <anders@zulip.com> 2024-07-18 04:10:12 +02:00			`uses: github/codeql-action/init@v3`
github: Enable new codeql-analysis feature. This file was generated by GitHub's code analysis tutorial; we were just approved from their waitlist. I deleted the part to run compilers as it is not relevant for us. 2020-06-25 20:29:26 +02:00
lint: Reformat YAML files with Prettier. Signed-off-by: Anders Kaseorg <anders@zulip.com> 2020-07-01 21:19:49 +02:00			`# Override language selection by uncommenting this and choosing your languages`
			`# with:`
			`# languages: go, javascript, csharp, python, cpp, java`
ci: Run CodeQL on merge commit. As per https://github.com/github/codeql-action/pull/297. Signed-off-by: Anders Kaseorg <anders@zulip.com> 2021-08-03 21:38:25 +02:00
lint: Reformat YAML files with Prettier. Signed-off-by: Anders Kaseorg <anders@zulip.com> 2020-07-01 21:19:49 +02:00			`- name: Perform CodeQL Analysis`
ci: Upgrade github/codeql-action. Signed-off-by: Anders Kaseorg <anders@zulip.com> 2024-07-18 04:10:12 +02:00			`uses: github/codeql-action/analyze@v3`