CI: add CodeQL workflow

2026-03-12 07:20:45 +00:00 · 2026-03-07 18:15:06 -08:00
parent 49261b0d82
commit b2f8f5e4dd
1 changed files with 83 additions and 0 deletions
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -0,0 +1,83 @@
+name: CodeQL
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+  workflow_dispatch:
+
+concurrency:
+  group: codeql-${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+
+permissions:
+  actions: read
+  contents: read
+  security-events: write
+
+jobs:
+  analyze:
+    name: Analyze (${{ matrix.language }})
+    runs-on: ${{ matrix.runs_on }}
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - language: javascript-typescript
+            runs_on: blacksmith-16vcpu-ubuntu-2404
+            needs_node: true
+            needs_python: false
+            needs_autobuild: false
+          - language: actions
+            runs_on: blacksmith-16vcpu-ubuntu-2404
+            needs_node: false
+            needs_python: false
+            needs_autobuild: false
+          - language: python
+            runs_on: blacksmith-16vcpu-ubuntu-2404
+            needs_node: false
+            needs_python: true
+            needs_autobuild: false
+          - language: java-kotlin
+            runs_on: blacksmith-16vcpu-ubuntu-2404
+            needs_node: false
+            needs_python: false
+            needs_autobuild: true
+          - language: swift
+            runs_on: macos-latest
+            needs_node: false
+            needs_python: false
+            needs_autobuild: true
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          submodules: false
+
+      - name: Setup Node environment
+        if: matrix.needs_node
+        uses: ./.github/actions/setup-node-env
+        with:
+          install-bun: "false"
+          use-sticky-disk: "true"
+
+      - name: Setup Python
+        if: matrix.needs_python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v4
+        with:
+          languages: ${{ matrix.language }}
+          queries: security-and-quality
+
+      - name: Autobuild
+        if: matrix.needs_autobuild
+        uses: github/codeql-action/autobuild@v4
+
+      - name: Analyze
+        uses: github/codeql-action/analyze@v4
+        with:
+          category: "/language:${{ matrix.language }}"