# https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning name: "CodeQL" on: push: branches-ignore: # build all branches except: - 'dependabot/**' # prevent GHA triggered twice (once for commit to the branch and once for opening/syncing the PR) - 'dependencies/pdm' # prevent GHA triggered twice (once for commit to the branch and once for opening/syncing the PR) tags-ignore: - '**' paths-ignore: - '**/*.md' - '.act*' - '.editorconfig' - '.git*' - '.github/ISSUE_TEMPLATE/*' - '.github/workflows/build.yml' - '.github/workflows/stale.yml' - '.github/workflows/update-python-deps.yml' - '.github/workflows/validate-pr.yml' pull_request: paths-ignore: - '**/*.md' schedule: - cron: '10 10 * * 1' workflow_dispatch: # https://github.blog/changelog/2020-07-06-github-actions-manual-triggers-with-workflow_dispatch/ defaults: run: shell: bash env: PYTHON_VERSION: "3.13.2" jobs: ########################################################### analyze: ########################################################### runs-on: ubuntu-latest timeout-minutes: 10 permissions: security-events: write steps: - name: Show environment variables run: env | sort - name: Git checkout uses: actions/checkout@v4 # https://github.com/actions/checkout - name: "Install Python and PDM" # https://github.com/pdm-project/setup-pdm uses: pdm-project/setup-pdm@v4 with: python-version: "${{ env.PYTHON_VERSION }}" cache: true - name: "Install: Python dependencies" run: | set -eux python --version python -m pip install --upgrade pip pip install --upgrade pdm if [[ ! -e .venv ]]; then pdm venv create || true fi pdm install -v - name: Initialize CodeQL uses: github/codeql-action/init@v3 # https://github.com/github/codeql-action/blob/main/init/action.yml with: languages: python - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v3 # https://github.com/github/codeql-action