From 0424d2608f94494aecd00c01f42c9e5a2062ecd9 Mon Sep 17 00:00:00 2001 From: naorpeled Date: Sat, 2 May 2026 23:35:59 +0300 Subject: [PATCH] ci: add CodeQL workflow for Python static analysis MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Runs github/codeql-action with the default security-extended and security-and-quality query suites against the Python codebase on push to main, on PRs targeting main, and weekly so newly-published advisories get re-evaluated against the current source. build-mode: none — pr-agent is pure Python with no C extensions or custom build steps, so CodeQL's automatic source-only analysis is sufficient and faster than the build/autobuild path. Findings will surface under the repo's Security → Code scanning tab. Third-party actions pinned to commit SHAs (matches the policy already in publish.yml). --- .github/workflows/codeql.yml | 44 ++++++++++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+) create mode 100644 .github/workflows/codeql.yml diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 0000000000..7a9e35b7f8 --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,44 @@ +name: CodeQL + +on: + push: + branches: + - main + pull_request: + branches: + - main + schedule: + # Weekly on Monday at 06:00 UTC — catches advisories that landed + # without a corresponding code change in this repo. + - cron: '0 6 * * 1' + +permissions: + contents: read + +jobs: + analyze: + name: Analyze (${{ matrix.language }}) + runs-on: ubuntu-latest + permissions: + security-events: write + packages: read + actions: read + contents: read + strategy: + fail-fast: false + matrix: + include: + - language: python + build-mode: none + steps: + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + + - uses: github/codeql-action/init@53e96ec3b35fce51c141c0d6f0e31028a448722d # v3 + with: + languages: ${{ matrix.language }} + build-mode: ${{ matrix.build-mode }} + queries: security-extended,security-and-quality + + - uses: github/codeql-action/analyze@53e96ec3b35fce51c141c0d6f0e31028a448722d # v3 + with: + category: "/language:${{ matrix.language }}"