From 08c304b221613ed660570856585d47871de44db1 Mon Sep 17 00:00:00 2001
From: Stephen Colebourne <scolebourne@joda.org>
Date: Sun, 6 Oct 2024 12:31:02 +0100
Subject: [PATCH] Update build script

* Add CodeQL
---
 .github/workflows/build.yml | 21 ++++++++++++++++-----
 1 file changed, 16 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 9f109b0..6641bd8 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -9,24 +9,27 @@ on:
       - 'website*'
   pull_request:
     branches:
-      - '*'
+      - 'main'
 
 permissions:
   contents: read
 
 jobs:
   build:
+    permissions:
+      security-events: write  # for github/codeql-action
     runs-on: ubuntu-latest
     strategy:
       matrix:
         java: [8, 11]
-    
     steps:
     - name: Checkout
-      uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b  #v3.0.2
+      uses: actions/checkout@v4
+      with:
+        token: ${{ secrets.PERSONAL_TOKEN_GH }}
 
     - name: Set up JDK
-      uses: actions/setup-java@2c7a4878f5d120bd643426d54ae1209b29cc01a3  #v3.4.1
+      uses: actions/setup-java@v4
       with:
         java-version: ${{ matrix.java }}
         distribution: 'temurin'
@@ -35,14 +38,22 @@ jobs:
     - name: Maven version
       run: |
         mkdir -p ./.mvn
-        echo '-e -B -DtrimStackTrace=false' > ./.mvn/maven.config
+        echo '-e -B -ntp -DtrimStackTrace=false' > ./.mvn/maven.config
         mvn --version
         mkdir -p target
 
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v3
+      with:
+        languages: java
+
     - name: Maven build
       run: |
         mvn install site
 
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v3
+
     - name: Website
       if: matrix.java == '11' && github.event_name == 'push' && (startsWith(github.ref, 'refs/tags/website') || startsWith(github.ref, 'refs/tags/v'))
       env: