fix(ci): sync hypatia-scan.yml to canonical (#46) #171
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # SPDX-License-Identifier: AGPL-3.0-or-later | |
| name: CodeQL Security Analysis | |
| on: | |
| push: | |
| branches: [main, master] | |
| pull_request: | |
| branches: [main, master] | |
| schedule: | |
| - cron: '0 6 * * 1' | |
| permissions: read-all | |
| jobs: | |
| analyze: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| security-events: write | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| # This repo is Ada/Scheme/Shell — languages CodeQL cannot analyze. | |
| # Pointing CodeQL at `javascript-typescript` made the analyze job | |
| # see no source and record zero results, so OSSF Scorecard's SAST | |
| # check reported "0 commits checked" (alert #72). `actions` scans | |
| # the workflow YAML, which every commit touches, so SAST now | |
| # produces results on every push. See hyperpolymath/hypatia#260. | |
| - language: actions | |
| build-mode: none | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/init@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v3.28.1 | |
| with: | |
| languages: ${{ matrix.language }} | |
| build-mode: ${{ matrix.build-mode }} | |
| - name: Perform CodeQL Analysis | |
| uses: github/codeql-action/analyze@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v3.28.1 | |
| with: | |
| category: "/language:${{ matrix.language }}" |