feat: add plan addon filters #632

	name: CodeQL Go

	on:
	pull_request:
	types: [opened, synchronize, reopened, ready_for_review]
	paths:
	- "*/.go"
	- "go.mod"
	- "go.sum"
	- "flake.*"
	- "Makefile"
	- ".github/workflows/codeql-go.yaml"
	push:
	branches: [main]
	paths:
	- "*/.go"
	- "go.mod"
	- "go.sum"
	- "flake.*"
	- "Makefile"
	- ".github/workflows/codeql-go.yaml"
	schedule:
	- cron: "30 2 * * 1"
	workflow_dispatch:

	permissions:
	contents: read
	security-events: write
	packages: read

	concurrency:
	group: ${{ github.workflow }}-${{ github.ref }}
	cancel-in-progress: true

	jobs:
	analyze-go:
	name: Analyze Go
	if: ${{ github.event_name != 'pull_request' \|\| !github.event.pull_request.draft }}
	runs-on: depot-ubuntu-latest-16
	timeout-minutes: 60

	steps:
	- name: Checkout repository
	uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
	with:
	persist-credentials: false

	- name: Set up Go
	uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
	with:
	go-version-file: go.mod
	cache: true

	- name: Initialize CodeQL
	uses: github/codeql-action/init@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0
	with:
	languages: go
	build-mode: manual
	dependency-caching: false

	- name: Build backend for CodeQL (PRs only)
	if: ${{ github.event_name == 'pull_request' }}
	run: \|
	make build-server GO_BUILD_FLAGS=

	- name: Full build report for CodeQL (non-PRs only)
	if: ${{ github.event_name != 'pull_request' }}
	run: \|
	make build GO_BUILD_FLAGS=

	- name: Perform CodeQL Analysis
	uses: github/codeql-action/analyze@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0
	with:
	category: "/language:go"

Provide feedback