From 30fc50150386b55e31b434cb6205fdbcf6806b84 Mon Sep 17 00:00:00 2001 From: martincostello Date: Sat, 15 Feb 2025 11:54:26 +0000 Subject: [PATCH] Run CodeQL for GitHub Actions - Add GitHub Actions to the CodeQL analysis. - Rename jobs. - Add summary job for a single required status. - Refactor permissions. --- .../{codeql-analysis.yml => code-ql.yml} | 32 +++++++++++++++---- 1 file changed, 25 insertions(+), 7 deletions(-) rename .github/workflows/{codeql-analysis.yml => code-ql.yml} (60%) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/code-ql.yml similarity index 60% rename from .github/workflows/codeql-analysis.yml rename to .github/workflows/code-ql.yml index 6fba9012cb7..4ed75241ee1 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/code-ql.yml @@ -1,4 +1,4 @@ -name: code-scan +name: code-ql on: push: @@ -14,22 +14,21 @@ on: - cron: '0 8 * * MON' workflow_dispatch: -permissions: - actions: read - contents: read +permissions: {} jobs: - code-ql: - + analysis: runs-on: ubuntu-latest permissions: + actions: read + contents: read security-events: write strategy: fail-fast: false matrix: - language: [ 'csharp' ] + language: [ 'actions', 'csharp' ] steps: - name: Checkout repository @@ -48,3 +47,22 @@ jobs: uses: github/codeql-action/analyze@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9 with: category: '/language:${{ matrix.language }}' + + code-ql: + if: ${{ !cancelled() }} + needs: [ analysis ] + runs-on: ubuntu-latest + + steps: + - name: Report status + shell: bash + env: + SCAN_SUCCESS: ${{ !contains(needs.*.result, 'failure') && !contains(needs.*.result, 'cancelled') }} + run: | + if [ "${SCAN_SUCCESS}" == "true" ] + then + echo 'CodeQL analysis successful ✅' + else + echo '::error title=CodeQL::CodeQL analysis failed ❌' + exit 1 + fi