error-prone-support/.github/workflows/codeql.yml

# Analyzes the code using GitHub's default CodeQL query database.
# Identified issues are registered with GitHub's code scanning dashboard. When
# a pull request is analyzed, any offending lines are annotated. See
# https://codeql.github.com for details.
name: CodeQL analysis
on:
  pull_request:
  push:
    branches: [ master ]
  schedule:
    - cron: '0 4 * * 1'
permissions:
  contents: read
jobs:
  analyze:
    strategy:
      matrix:
        language: [ java, ruby ]
    permissions:
      contents: read
      security-events: write
    runs-on: ubuntu-24.04
    steps:
      - name: Install Harden-Runner
        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
        with:
          disable-sudo: true
          egress-policy: block
          allowed-endpoints: >
            api.adoptium.net:443
            api.github.com:443
            github.com:443
            objects.githubusercontent.com:443
            repo.maven.apache.org:443
            uploads.github.com:443
      - name: Check out code and set up JDK and Maven
        uses: s4u/setup-maven-action@382542f77617f34e56bf83868920a4d45b7451e7 # v1.16.0
        with:
          java-version: 17.0.13
          java-distribution: temurin
          maven-version: 3.9.9
      - name: Initialize CodeQL
        uses: github/codeql-action/init@f09c1c0a94de965c15400f5634aa42fac8fb8f88 # v3.27.5
        with:
          languages: ${{ matrix.language }}
      - name: Perform minimal build
        if: matrix.language == 'java'
        run: mvn -T1C clean package -DskipTests -Dverification.skip
      - name: Perform CodeQL analysis
        uses: github/codeql-action/analyze@f09c1c0a94de965c15400f5634aa42fac8fb8f88 # v3.27.5
        with:
          category: /language:${{ matrix.language }}