chore(deps): bump dependabot/fetch-metadata from 2.5.0 to 3.0.0 (#21) #91
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # CodeQL Security Analysis | |
| # | |
| # Scope: Analyzes GitHub Actions workflow files (YAML) only. | |
| # Note: Bash scripts are NOT analyzed by CodeQL (unsupported language). | |
| # Bash script security is handled by ShellCheck (ci.yml) and | |
| # custom security checks (security.yml). | |
| name: CodeQL | |
| on: | |
| workflow_dispatch: | |
| push: | |
| branches: [main] | |
| paths: | |
| - '**.yml' | |
| - '**.yaml' | |
| pull_request: | |
| branches: [main] | |
| paths: | |
| - '**.yml' | |
| - '**.yaml' | |
| schedule: | |
| - cron: '0 6 * * 1' # Weekly on Monday 6am UTC | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: ${{ github.event_name != 'schedule' }} | |
| permissions: {} | |
| jobs: | |
| analyze: | |
| name: Analyze | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 15 | |
| permissions: | |
| actions: read | |
| contents: read | |
| security-events: write | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 | |
| with: | |
| egress-policy: block | |
| allowed-endpoints: > | |
| api.github.com:443 | |
| github.com:443 | |
| objects.githubusercontent.com:443 | |
| release-assets.githubusercontent.com:443 | |
| uploads.github.com:443 | |
| - name: Checkout | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| persist-credentials: false | |
| # Scope: This workflow only analyzes GitHub Actions workflows (YAML files). | |
| # CodeQL does not support bash - bash scripts are analyzed by: | |
| # - ShellCheck in ci.yml (lint and security rules) | |
| # - Custom security checks in security.yml (hardcoded secrets, unsafe patterns) | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/init@cb4e075f119f8bccbc942d49655b2cd4dc6e615a # v4 | |
| with: | |
| languages: actions | |
| queries: security-and-quality | |
| - name: Perform CodeQL Analysis | |
| uses: github/codeql-action/analyze@cb4e075f119f8bccbc942d49655b2cd4dc6e615a # v4 | |
| with: | |
| category: "/language:actions" | |
| - name: Summary | |
| if: success() | |
| run: | | |
| { | |
| echo "## CodeQL Analysis Complete" | |
| echo "" | |
| echo "**Languages analyzed:** GitHub Actions" | |
| echo "" | |
| echo "Results are available in the [Security tab](https://github.com/${{ github.repository }}/security/code-scanning)." | |
| } >> "$GITHUB_STEP_SUMMARY" |