CodeQL Security Analysis #146
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CodeQL Security Analysis | |
| on: | |
| workflow_call: # Called from ci.yml after quick-test passes | |
| workflow_dispatch: # Manual trigger | |
| schedule: | |
| # Run weekly on Monday at 00:00 UTC | |
| - cron: '0 0 * * 1' | |
| permissions: | |
| security-events: write | |
| actions: read | |
| contents: read | |
| jobs: | |
| analyze: | |
| name: Analyze C# Code | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Harden the runner (Audit all outbound calls) | |
| uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| fetch-depth: 0 | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/init@b20883b0cd1f46c72ae0ba6d1090936928f9fa30 # v4.32.0 | |
| with: | |
| languages: csharp | |
| queries: security-and-quality | |
| - name: Setup .NET 9.0.x | |
| uses: actions/setup-dotnet@baa11fbfe1d6520db94683bd5c7a3818018e4309 # v5.1.0 | |
| with: | |
| dotnet-version: 9.0.x | |
| - name: Cache NuGet packages | |
| uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 | |
| with: | |
| path: ~/.nuget/packages | |
| key: ${{ runner.os }}-nuget-${{ hashFiles('**/*.csproj') }} | |
| restore-keys: | | |
| ${{ runner.os }}-nuget- | |
| - name: Restore dependencies | |
| run: dotnet restore Rivulet.slnx | |
| - name: Build (Release) | |
| run: dotnet build Rivulet.slnx -c Release --no-restore | |
| - name: Perform CodeQL Analysis | |
| uses: github/codeql-action/analyze@b20883b0cd1f46c72ae0ba6d1090936928f9fa30 # v4.32.0 | |
| with: | |
| category: "/language:csharp" |