-
Notifications
You must be signed in to change notification settings - Fork 0
72 lines (69 loc) · 2.58 KB
/
codeql-analysis.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
# Scan the code for security vulnerabilities with CodeQL.
# See https://github.com/github/codeql-action
name: "CodeQL"
on:
push:
branches:
- "main"
- "develop"
pull_request:
# The branches below must be a subset of the branches above.
branches:
- "main"
- "develop"
jobs:
scan:
strategy:
matrix:
os:
- "ubuntu-latest"
python-version:
- "3.9"
runs-on: "${{ matrix.os }}"
permissions:
security-events: "write"
steps:
- name: "Checkout repository"
uses: "actions/checkout@v4"
- name: "Set up Python ${{ matrix.python-version }}"
uses: "actions/setup-python@v5"
with:
python-version: "${{ matrix.python-version }}"
- name: "Export ${HOME}/.local/bin to ${PATH}"
# Executable Python binaries are usually stored there.
run: 'echo "${HOME}/.local/bin" >> ${GITHUB_PATH}'
- name: "Get pip cache dir"
# pip's cache path depends on the operating system. See
# https://github.com/actions/cache/blob/main/examples.md#python---pip
# This requires pip >=20.1.
id: "pip-cache"
run: |
python -m pip install --user --upgrade pip
echo "dir=$(pip cache dir)" >> ${GITHUB_OUTPUT}
- name: "Create/Restore cache"
uses: "actions/cache@v3"
with:
path: "${{ steps.pip-cache.outputs.dir }}/**"
key: |
${{ runner.os }}-${{ matrix.python-version }}-${{ github.job }}
restore-keys: |
${{ runner.os }}-${{ matrix.python-version }}
${{ runner.os }}
- name: "Install/Upgrade setuptools and wheel"
run: "python -m pip install --user --upgrade setuptools wheel"
- name: "Install/Upgrade this project"
run: |
python -m pip install --user --upgrade .
# Set the `CODEQL-PYTHON` environment variable to the Python
# executable that includes the dependencies.
echo "CODEQL_PYTHON=$(which python)" >> ${GITHUB_ENV}
- name: "Initialize CodeQL"
uses: "github/codeql-action/init@v2"
with:
languages: "python"
# Override the default behavior so that the action doesn't
# attempt to auto-install Python dependencies. See
# https://docs.github.com/en/code-security/secure-coding/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#analyzing-python-dependencies
setup-python-dependencies: false
- name: "Perform CodeQL Analysis"
uses: "github/codeql-action/analyze@v2"