mirror of
https://github.com/StevenBlack/hosts.git
synced 2026-07-01 02:36:52 +00:00
This is considered a better practice security-wise since hashes are immutable. Dependabot handles updating hashes the same way, so there should be no problem updating actions.
44 lines
1.0 KiB
YAML
44 lines
1.0 KiB
YAML
name: "CodeQL"
|
|
|
|
on:
|
|
push:
|
|
branches:
|
|
- master
|
|
- "!dependabot/**"
|
|
pull_request:
|
|
branches:
|
|
- master
|
|
- "!dependabot/**"
|
|
schedule:
|
|
- cron: "40 15 * * 4"
|
|
workflow_dispatch:
|
|
|
|
jobs:
|
|
analyze:
|
|
name: Analyze
|
|
runs-on: ubuntu-latest
|
|
permissions:
|
|
actions: read
|
|
contents: read
|
|
security-events: write
|
|
|
|
steps:
|
|
- name: Clone repository
|
|
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
|
|
with:
|
|
persist-credentials: false
|
|
|
|
- name: Initialize CodeQL
|
|
uses: github/codeql-action/init@192325c86100d080feab897ff886c34abd4c83a3 # v3.30.3
|
|
with:
|
|
languages: "python"
|
|
queries: +security-and-quality
|
|
|
|
- name: Autobuild
|
|
uses: github/codeql-action/autobuild@192325c86100d080feab897ff886c34abd4c83a3 # v3.30.3
|
|
|
|
- name: Perform CodeQL Analysis
|
|
uses: github/codeql-action/analyze@192325c86100d080feab897ff886c34abd4c83a3 # v3.30.3
|
|
with:
|
|
category: "/language:python"
|