fzf/.github/workflows/codeql-analysis.yml

# https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning
name: CodeQL

on:
  push:
    branches: [ master, devel ]
  pull_request:
    branches: [ master ]
  workflow_dispatch:

permissions:
  contents: read

jobs:
  analyze:
    permissions:
      actions: read  # for github/codeql-action/init to get workflow details
      contents: read  # for actions/checkout to fetch code
      security-events: write  # for github/codeql-action/autobuild to send a status report
    name: Analyze
    runs-on: ubuntu-latest

    strategy:
      fail-fast: false
      matrix:
        language: ['go']

    steps:
    - name: Checkout repository
      uses: actions/checkout@v3
      with:
        fetch-depth: 0

    # Initializes the CodeQL tools for scanning.
    - name: Initialize CodeQL
      uses: github/codeql-action/init@v2
      with:
        languages: ${{ matrix.language }}

    - name: Autobuild
      uses: github/codeql-action/autobuild@v2

    - name: Perform CodeQL Analysis
      uses: github/codeql-action/analyze@v2
Create codeql-analysis.yml (#2338) 2021-02-01 14:54:45 +00:00			`# https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning`
			`name: CodeQL`

			`on:`
			`push:`
			`branches: [ master, devel ]`
			`pull_request:`
			`branches: [ master ]`
Enable manually trigger on GitHub Workflows (#2620) 2021-10-04 12:41:54 +00:00			`workflow_dispatch:`
Create codeql-analysis.yml (#2338) 2021-02-01 14:54:45 +00:00
Pin actions to a full length commit SHA (#2765) - Pinned actions by SHA https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies - Included permissions for the action. https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions >Pin actions to a full length commit SHA >Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions Also, dependabot supports upgrade based on SHA. Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>s 2022-03-29 12:08:01 +00:00			`permissions:`
			`contents: read`

Create codeql-analysis.yml (#2338) 2021-02-01 14:54:45 +00:00			`jobs:`
			`analyze:`
Pin actions to a full length commit SHA (#2765) - Pinned actions by SHA https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies - Included permissions for the action. https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions >Pin actions to a full length commit SHA >Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions Also, dependabot supports upgrade based on SHA. Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>s 2022-03-29 12:08:01 +00:00			`permissions:`
			`actions: read # for github/codeql-action/init to get workflow details`
			`contents: read # for actions/checkout to fetch code`
			`security-events: write # for github/codeql-action/autobuild to send a status report`
Create codeql-analysis.yml (#2338) 2021-02-01 14:54:45 +00:00			`name: Analyze`
			`runs-on: ubuntu-latest`

			`strategy:`
			`fail-fast: false`
			`matrix:`
			`language: ['go']`

			`steps:`
			`- name: Checkout repository`
Bump actions/checkout from 61b9e3751b92087fd0b06925ba6dd6314e06f089 to v3 (#2997) * Bump actions/checkout Bumps [actions/checkout](https://github.com/actions/checkout) from 61b9e3751b92087fd0b06925ba6dd6314e06f089 to 3.1.0. This release includes the previously tagged commit. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/61b9e3751b92087fd0b06925ba6dd6314e06f089...93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> * Apply suggestions from code review Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Junegunn Choi <junegunn.c@gmail.com> 2022-10-16 13:33:49 +00:00			`uses: actions/checkout@v3`
Create codeql-analysis.yml (#2338) 2021-02-01 14:54:45 +00:00			`with:`
			`fetch-depth: 0`

			`# Initializes the CodeQL tools for scanning.`
			`- name: Initialize CodeQL`
Use github/codeql-action@v2 (#2998) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Junegunn Choi <junegunn.c@gmail.com> 2022-10-16 13:36:59 +00:00			`uses: github/codeql-action/init@v2`
Create codeql-analysis.yml (#2338) 2021-02-01 14:54:45 +00:00			`with:`
			`languages: ${{ matrix.language }}`

			`- name: Autobuild`
Use github/codeql-action@v2 (#2998) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Junegunn Choi <junegunn.c@gmail.com> 2022-10-16 13:36:59 +00:00			`uses: github/codeql-action/autobuild@v2`
Create codeql-analysis.yml (#2338) 2021-02-01 14:54:45 +00:00
			`- name: Perform CodeQL Analysis`
Use github/codeql-action@v2 (#2998) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Junegunn Choi <junegunn.c@gmail.com> 2022-10-16 13:36:59 +00:00			`uses: github/codeql-action/analyze@v2`