llama-stack/.github/workflows/codeql.yml at main · SysBind/llama-stack · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
name: "CodeQL Workflow Security Scan"

on:
  pull_request:
    # PRs are checked for new issues
    branches: [ "main" ]
    # Limit scans to changes in the .github directory, bash scripts are not scanned anyway
    paths:
      - '.github/**'

jobs:
  analyze:
    name: Analyze
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
      matrix:
        # actions is the most specific language option for
        # codeql does NOT support Bash
        # In case javascript is used in workflows, that should be added or replace
        language: [ 'actions' ]

    steps:
    - name: Checkout repository
      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4

    # Initializes CodeQL tools for scanning.
    - name: Initialize CodeQL
      uses: github/codeql-action/init@0d579ffd059c29b07949a3cce3983f0780820c98 # v3
      with:
        languages: ${{ matrix.language }}
        # "security-extended" is recommended for higher severity coverage - not necessary can be removed to speed up
        queries: security-extended

    # Scans the code and uploads results to GitHub Security tab.
    # The "Fail on High" logic is handled by Branch Protection Rules in Settings
    - name: Perform CodeQL Analysis
      uses: github/codeql-action/analyze@0d579ffd059c29b07949a3cce3983f0780820c98 # v3
      with:
        category: "/language:${{ matrix.language }}"