Add CodeQL analysis for GitHub Actions

- Add CodeQL analysis for GitHub Actions. - Refactor permissions. - Add overall job/status for all languages. - Standardize workflow with other repos.
martincostello · Feb 14, 2025 · 339c491 · 339c491
1 parent 2600b9e
commit 339c491
Show file tree

Hide file tree

Showing 2 changed files with 32 additions and 9 deletions.
diff --git a/.github/workflows/codeql-analysis.yml → .github/workflows/codeql.yml b/.github/workflows/codeql-analysis.yml → .github/workflows/codeql.yml
@@ -1,4 +1,4 @@
-name: code-scan
+name: codeql
 
 on:
   push:
@@ -12,18 +12,22 @@ on:
     - cron: '0 6 * * MON'
   workflow_dispatch:
 
-permissions:
-  actions: read
-  contents: read
+permissions: {}
 
 jobs:
-  code-ql:
-
+  analysis:
     runs-on: ubuntu-latest
 
     permissions:
+      actions: read
+      contents: read
       security-events: write
 
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'actions', 'csharp' ]
+
     steps:
     - name: Checkout repository
       uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -35,10 +39,29 @@ jobs:
       uses: github/codeql-action/init@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9
       with:
         build-mode: none
-        languages: 'csharp'
+        languages: ${{ matrix.language }}
         queries: security-and-quality
 
     - name: Perform CodeQL Analysis
       uses: github/codeql-action/analyze@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9
       with:
-        category: "/language:csharp"
+        category: '/language:${{ matrix.language }}'
+
+  codeql:
+    if: ${{ !cancelled() }}
+    needs: [ analysis ]
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Report status
+      shell: bash
+      env:
+        SCAN_SUCCESS: ${{ !contains(needs.*.result, 'failure') && !contains(needs.*.result, 'cancelled') }}
+      run: |
+        if [ "${SCAN_SUCCESS}" == "true" ]
+        then
+          echo 'CodeQL analysis successful ✅'
+        else
+          echo 'CodeQL analysis failed ❌'
+          exit 1
+        fi
diff --git a/SqlLocalDb.sln b/SqlLocalDb.sln
@@ -62,7 +62,7 @@ Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "workflows", "workflows", "{
 	ProjectSection(SolutionItems) = preProject
 		.github\workflows\build.yml = .github\workflows\build.yml
 		.github\workflows\bump-version.yml = .github\workflows\bump-version.yml
-		.github\workflows\codeql-analysis.yml = .github\workflows\codeql-analysis.yml
+		.github\workflows\codeql.yml = .github\workflows\codeql.yml
 		.github\workflows\dependency-review.yml = .github\workflows\dependency-review.yml
 		.github\workflows\lint.yml = .github\workflows\lint.yml
 		.github\workflows\ossf-scorecard.yml = .github\workflows\ossf-scorecard.yml