actions/codeql-action
1
0
Fork 0
mirror of https://github.com/github/codeql-action synced 2026-05-29 05:00:55 +03:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'main' into henrymercer/slim-pr-checks

Browse Source
This commit is contained in:
Henry Mercer
2025-09-24 19:29:32 +02:00
parent 4082f8c39f 8e25b3435d
commit a34e1cd60b
64 changed files with 72 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.github/dependabot.yml
+2 -2
View File
@@ -21,8 +21,8 @@ updates:
- "*"
- package-ecosystem: github-actions
directories:
- "/"
- "/.github/actions" # All subdirectories outside of "/.github/workflows" must be explicitly included.
- "/.github/workflows"
- "/.github/actions"
schedule:
interval: weekly
labels:
.github/workflows/__all-platform-bundle.yml
Generated
+1
View File
@@ -53,6 +53,7 @@ jobs:
- os: windows-latest
version: nightly-latest
name: All-platform bundle
if: github.triggering_actor != 'dependabot[bot]'
permissions:
contents: read
security-events: read
.github/workflows/__analyze-ref-input.yml
Generated
+1
View File
@@ -49,6 +49,7 @@ jobs:
- os: ubuntu-latest
version: default
name: "Analyze: 'ref' and 'sha' from inputs"
if: github.triggering_actor != 'dependabot[bot]'
permissions:
contents: read
security-events: read
.github/workflows/__autobuild-action.yml
Generated
+1
View File
@@ -43,6 +43,7 @@ jobs:
- os: windows-latest
version: linked
name: autobuild-action
if: github.triggering_actor != 'dependabot[bot]'
permissions:
contents: read
security-events: read
.github/workflows/__autobuild-direct-tracing-with-working-dir.yml
Generated
+1
View File
@@ -55,6 +55,7 @@ jobs:
- os: windows-latest
version: nightly-latest
name: Autobuild direct tracing (custom working directory)
if: github.triggering_actor != 'dependabot[bot]'
permissions:
contents: read
security-events: read
.github/workflows/__autobuild-working-dir.yml
Generated
+1
View File
@@ -39,6 +39,7 @@ jobs:
- os: ubuntu-latest
version: linked
name: Autobuild working directory
if: github.triggering_actor != 'dependabot[bot]'
permissions:
contents: read
security-events: read
.github/workflows/__build-mode-autobuild.yml
Generated
+1
View File
@@ -55,6 +55,7 @@ jobs:
- os: windows-latest
version: nightly-latest
name: Build mode autobuild
if: github.triggering_actor != 'dependabot[bot]'
permissions:
contents: read
security-events: read
.github/workflows/__build-mode-manual.yml
Generated
+1
View File
@@ -49,6 +49,7 @@ jobs:
- os: ubuntu-latest
version: nightly-latest
name: Build mode manual
if: github.triggering_actor != 'dependabot[bot]'
permissions:
contents: read
security-events: read
.github/workflows/__build-mode-none.yml
Generated
+1
View File
@@ -41,6 +41,7 @@ jobs:
- os: ubuntu-latest
version: nightly-latest
name: Build mode none
if: github.triggering_actor != 'dependabot[bot]'
permissions:
contents: read
security-events: read
.github/workflows/__build-mode-rollback.yml
Generated
+1
View File
@@ -39,6 +39,7 @@ jobs:
- os: ubuntu-latest
version: nightly-latest
name: Build mode rollback
if: github.triggering_actor != 'dependabot[bot]'
permissions:
contents: read
security-events: read
.github/workflows/__bundle-toolcache.yml
Generated
+1
View File
@@ -43,6 +43,7 @@ jobs:
- os: windows-latest
version: linked
name: 'Bundle: Caching checks'
if: github.triggering_actor != 'dependabot[bot]'
permissions:
contents: read
security-events: read
.github/workflows/__bundle-zstd.yml
Generated
+1
View File
@@ -43,6 +43,7 @@ jobs:
- os: windows-latest
version: linked
name: 'Bundle: Zstandard checks'
if: github.triggering_actor != 'dependabot[bot]'
permissions:
contents: read
security-events: read
.github/workflows/__cleanup-db-cluster-dir.yml
Generated
+1
View File
@@ -39,6 +39,7 @@ jobs:
- os: ubuntu-latest
version: linked
name: Clean up database cluster directory
if: github.triggering_actor != 'dependabot[bot]'
permissions:
contents: read
security-events: read
.github/workflows/__config-export.yml
Generated
+1
View File
@@ -41,6 +41,7 @@ jobs:
- os: ubuntu-latest
version: nightly-latest
name: Config export
if: github.triggering_actor != 'dependabot[bot]'
permissions:
contents: read
security-events: read
.github/workflows/__config-input.yml
Generated
+1
View File
@@ -39,6 +39,7 @@ jobs:
- os: ubuntu-latest
version: linked
name: Config input
if: github.triggering_actor != 'dependabot[bot]'
permissions:
contents: read
security-events: read
.github/workflows/__cpp-deptrace-disabled.yml
Generated
+1
View File
@@ -43,6 +43,7 @@ jobs:
- os: ubuntu-latest
version: nightly-latest
name: 'C/C++: disabling autoinstalling dependencies (Linux)'
if: github.triggering_actor != 'dependabot[bot]'
permissions:
contents: read
security-events: read
.github/workflows/__cpp-deptrace-enabled-on-macos.yml
Generated
+1
View File
@@ -41,6 +41,7 @@ jobs:
- os: macos-latest
version: nightly-latest
name: 'C/C++: autoinstalling dependencies is skipped (macOS)'
if: github.triggering_actor != 'dependabot[bot]'
permissions:
contents: read
security-events: read
.github/workflows/__cpp-deptrace-enabled.yml
Generated
+1
View File
@@ -43,6 +43,7 @@ jobs:
- os: ubuntu-latest
version: nightly-latest
name: 'C/C++: autoinstalling dependencies (Linux)'
if: github.triggering_actor != 'dependabot[bot]'
permissions:
contents: read
security-events: read
.github/workflows/__diagnostics-export.yml
Generated
+1
View File
@@ -41,6 +41,7 @@ jobs:
- os: ubuntu-latest
version: nightly-latest
name: Diagnostic export
if: github.triggering_actor != 'dependabot[bot]'
permissions:
contents: read
security-events: read
.github/workflows/__export-file-baseline-information.yml
Generated
+1
View File
@@ -53,6 +53,7 @@ jobs:
- os: windows-latest
version: nightly-latest
name: Export file baseline information
if: github.triggering_actor != 'dependabot[bot]'
permissions:
contents: read
security-events: read
.github/workflows/__extractor-ram-threads.yml
Generated
+1
View File
@@ -39,6 +39,7 @@ jobs:
- os: ubuntu-latest
version: linked
name: Extractor ram and threads options test
if: github.triggering_actor != 'dependabot[bot]'
permissions:
contents: read
security-events: read
.github/workflows/__global-proxy.yml
Generated
+1
View File
@@ -41,6 +41,7 @@ jobs:
- os: ubuntu-latest
version: nightly-latest
name: Proxy test
if: github.triggering_actor != 'dependabot[bot]'
permissions:
contents: read
security-events: read
.github/workflows/__go-custom-queries.yml
Generated
+1
View File
@@ -51,6 +51,7 @@ jobs:
- os: ubuntu-latest
version: nightly-latest
name: 'Go: Custom queries'
if: github.triggering_actor != 'dependabot[bot]'
permissions:
contents: read
security-events: read
.github/workflows/__go-indirect-tracing-workaround-diagnostic.yml
Generated
+1
View File
@@ -49,6 +49,7 @@ jobs:
- os: ubuntu-latest
version: default
name: 'Go: diagnostic when Go is changed after init step'
if: github.triggering_actor != 'dependabot[bot]'
permissions:
contents: read
security-events: read
.github/workflows/__go-indirect-tracing-workaround-no-file-program.yml
Generated
+1
View File
@@ -49,6 +49,7 @@ jobs:
- os: ubuntu-latest
version: default
name: 'Go: diagnostic when `file` is not installed'
if: github.triggering_actor != 'dependabot[bot]'
permissions:
contents: read
security-events: read
.github/workflows/__go-indirect-tracing-workaround.yml
Generated
+1
View File
@@ -49,6 +49,7 @@ jobs:
- os: ubuntu-latest
version: default
name: 'Go: workaround for indirect tracing'
if: github.triggering_actor != 'dependabot[bot]'
permissions:
contents: read
security-events: read
.github/workflows/__go-tracing-autobuilder.yml
Generated
+1
View File
@@ -83,6 +83,7 @@ jobs:
- os: macos-latest
version: nightly-latest
name: 'Go: tracing with autobuilder step'
if: github.triggering_actor != 'dependabot[bot]'
permissions:
contents: read
security-events: read
.github/workflows/__go-tracing-custom-build-steps.yml
Generated
+1
View File
@@ -83,6 +83,7 @@ jobs:
- os: macos-latest
version: nightly-latest
name: 'Go: tracing with custom build steps'
if: github.triggering_actor != 'dependabot[bot]'
permissions:
contents: read
security-events: read
.github/workflows/__go-tracing-legacy-workflow.yml
Generated
+1
View File
@@ -83,6 +83,7 @@ jobs:
- os: macos-latest
version: nightly-latest
name: 'Go: tracing with legacy workflow'
if: github.triggering_actor != 'dependabot[bot]'
permissions:
contents: read
security-events: read
.github/workflows/__init-with-registries.yml
Generated
+1
View File
@@ -43,6 +43,7 @@ jobs:
- os: ubuntu-latest
version: nightly-latest
name: 'Packaging: Download using registries'
if: github.triggering_actor != 'dependabot[bot]'
permissions:
contents: read
packages: read
.github/workflows/__javascript-source-root.yml
Generated
+1
View File
@@ -43,6 +43,7 @@ jobs:
- os: ubuntu-latest
version: nightly-latest
name: Custom source root
if: github.triggering_actor != 'dependabot[bot]'
permissions:
contents: read
security-events: read
.github/workflows/__job-run-uuid-sarif.yml
Generated
+1
View File
@@ -39,6 +39,7 @@ jobs:
- os: ubuntu-latest
version: nightly-latest
name: Job run UUID added to SARIF
if: github.triggering_actor != 'dependabot[bot]'
permissions:
contents: read
security-events: read
.github/workflows/__language-aliases.yml
Generated
+1
View File
@@ -39,6 +39,7 @@ jobs:
- os: ubuntu-latest
version: linked
name: Language aliases
if: github.triggering_actor != 'dependabot[bot]'
permissions:
contents: read
security-events: read
.github/workflows/__local-bundle.yml
Generated
+1
View File
@@ -49,6 +49,7 @@ jobs:
- os: ubuntu-latest
version: linked
name: Local CodeQL bundle
if: github.triggering_actor != 'dependabot[bot]'
permissions:
contents: read
security-events: read
.github/workflows/__multi-language-autodetect.yml
Generated
+1
View File
@@ -83,6 +83,7 @@ jobs:
- os: ubuntu-latest
version: nightly-latest
name: Multi-language repository
if: github.triggering_actor != 'dependabot[bot]'
permissions:
contents: read
security-events: read
.github/workflows/__overlay-init-fallback.yml
Generated
+1
View File
@@ -41,6 +41,7 @@ jobs:
- os: ubuntu-latest
version: nightly-latest
name: Overlay database init fallback
if: github.triggering_actor != 'dependabot[bot]'
permissions:
contents: read
security-events: read
.github/workflows/__packaging-codescanning-config-inputs-js.yml
Generated
+1
View File
@@ -53,6 +53,7 @@ jobs:
- os: ubuntu-latest
version: nightly-latest
name: 'Packaging: Config and input passed to the CLI'
if: github.triggering_actor != 'dependabot[bot]'
permissions:
contents: read
security-events: read
.github/workflows/__packaging-config-inputs-js.yml
Generated
+1
View File
@@ -53,6 +53,7 @@ jobs:
- os: ubuntu-latest
version: nightly-latest
name: 'Packaging: Config and input'
if: github.triggering_actor != 'dependabot[bot]'
permissions:
contents: read
security-events: read
.github/workflows/__packaging-config-js.yml
Generated
+1
View File
@@ -53,6 +53,7 @@ jobs:
- os: ubuntu-latest
version: nightly-latest
name: 'Packaging: Config file'
if: github.triggering_actor != 'dependabot[bot]'
permissions:
contents: read
security-events: read
.github/workflows/__packaging-inputs-js.yml
Generated
+1
View File
@@ -53,6 +53,7 @@ jobs:
- os: ubuntu-latest
version: nightly-latest
name: 'Packaging: Action input'
if: github.triggering_actor != 'dependabot[bot]'
permissions:
contents: read
security-events: read
.github/workflows/__quality-queries.yml
Generated
+1
View File
@@ -55,6 +55,7 @@ jobs:
version: nightly-latest
analysis-kinds: code-scanning,code-quality
name: Quality queries input
if: github.triggering_actor != 'dependabot[bot]'
permissions:
contents: read
security-events: read
.github/workflows/__remote-config.yml
Generated
+1
View File
@@ -51,6 +51,7 @@ jobs:
- os: ubuntu-latest
version: nightly-latest
name: Remote config file
if: github.triggering_actor != 'dependabot[bot]'
permissions:
contents: read
security-events: read
.github/workflows/__resolve-environment-action.yml
Generated
+1
View File
@@ -43,6 +43,7 @@ jobs:
- os: ubuntu-latest
version: nightly-latest
name: Resolve environment
if: github.triggering_actor != 'dependabot[bot]'
permissions:
contents: read
security-events: read
.github/workflows/__rubocop-multi-language.yml
Generated
+1
View File
@@ -39,6 +39,7 @@ jobs:
- os: ubuntu-latest
version: default
name: RuboCop multi-language
if: github.triggering_actor != 'dependabot[bot]'
permissions:
contents: read
security-events: read
.github/workflows/__ruby.yml
Generated
+1
View File
@@ -49,6 +49,7 @@ jobs:
- os: macos-latest
version: nightly-latest
name: Ruby analysis
if: github.triggering_actor != 'dependabot[bot]'
permissions:
contents: read
security-events: read
.github/workflows/__rust.yml
Generated
+1
View File
@@ -47,6 +47,7 @@ jobs:
- os: ubuntu-latest
version: nightly-latest
name: Rust analysis
if: github.triggering_actor != 'dependabot[bot]'
permissions:
contents: read
security-events: read
.github/workflows/__split-workflow.yml
Generated
+1
View File
@@ -59,6 +59,7 @@ jobs:
- os: macos-latest
version: nightly-latest
name: Split workflow
if: github.triggering_actor != 'dependabot[bot]'
permissions:
contents: read
security-events: read
.github/workflows/__start-proxy.yml
Generated
+1
View File
@@ -43,6 +43,7 @@ jobs:
- os: windows-latest
version: linked
name: Start proxy
if: github.triggering_actor != 'dependabot[bot]'
permissions:
contents: read
security-events: read
.github/workflows/__submit-sarif-failure.yml
Generated
+1
View File
@@ -43,6 +43,7 @@ jobs:
- os: ubuntu-latest
version: nightly-latest
name: Submit SARIF after failure
if: github.triggering_actor != 'dependabot[bot]'
permissions:
contents: read
security-events: write # needed to upload the SARIF file
.github/workflows/__swift-autobuild.yml
Generated
+1
View File
@@ -39,6 +39,7 @@ jobs:
- os: macos-latest
version: nightly-latest
name: Swift analysis using autobuild
if: github.triggering_actor != 'dependabot[bot]'
permissions:
contents: read
security-events: read
.github/workflows/__swift-custom-build.yml
Generated
+1
View File
@@ -53,6 +53,7 @@ jobs:
- os: macos-latest
version: nightly-latest
name: Swift analysis using a custom build command
if: github.triggering_actor != 'dependabot[bot]'
permissions:
contents: read
security-events: read
.github/workflows/__unset-environment.yml
Generated
+1
View File
@@ -51,6 +51,7 @@ jobs:
- os: ubuntu-latest
version: nightly-latest
name: Test unsetting environment variables
if: github.triggering_actor != 'dependabot[bot]'
permissions:
contents: read
security-events: read
.github/workflows/__upload-quality-sarif.yml
Generated
+1
View File
@@ -49,6 +49,7 @@ jobs:
- os: ubuntu-latest
version: default
name: 'Upload-sarif: code quality endpoint'
if: github.triggering_actor != 'dependabot[bot]'
permissions:
contents: read
security-events: read
.github/workflows/__upload-ref-sha-input.yml
Generated
+1
View File
@@ -49,6 +49,7 @@ jobs:
- os: ubuntu-latest
version: default
name: "Upload-sarif: 'ref' and 'sha' from inputs"
if: github.triggering_actor != 'dependabot[bot]'
permissions:
contents: read
security-events: read
.github/workflows/__with-checkout-path.yml
Generated
+1
View File
@@ -49,6 +49,7 @@ jobs:
- os: ubuntu-latest
version: linked
name: Use a custom `checkout_path`
if: github.triggering_actor != 'dependabot[bot]'
permissions:
contents: read
security-events: read
.github/workflows/codeql.yml
+3
View File
@@ -23,6 +23,7 @@ env:
jobs:
# Identify the CodeQL tool versions to use in the analysis job.
check-codeql-versions:
if: github.triggering_actor != 'dependabot[bot]'
runs-on: ubuntu-latest
outputs:
versions: ${{ steps.compare.outputs.versions }}
@@ -75,6 +76,7 @@ jobs:
echo "versions=${VERSIONS_JSON}" >> $GITHUB_OUTPUT
analyze-javascript:
if: github.triggering_actor != 'dependabot[bot]'
needs: [check-codeql-versions]
strategy:
fail-fast: false
@@ -110,6 +112,7 @@ jobs:
upload: ${{ (matrix.os == 'ubuntu-24.04' && !matrix.tools && 'always') || 'never' }}
analyze-other:
if: github.triggering_actor != 'dependabot[bot]'
runs-on: ubuntu-latest
strategy:
.github/workflows/codescanning-config-cli.yml
+1
View File
@@ -28,6 +28,7 @@ defaults:
jobs:
code-scanning-config-tests:
if: github.triggering_actor != 'dependabot[bot]'
continue-on-error: true
permissions:
.github/workflows/debug-artifacts-failure-safe.yml
+2
View File
@@ -24,6 +24,7 @@ defaults:
jobs:
upload-artifacts:
if: github.triggering_actor != 'dependabot[bot]'
strategy:
fail-fast: false
matrix:
@@ -70,6 +71,7 @@ jobs:
expect-error: true
download-and-check-artifacts:
name: Download and check debug artifacts after failure in analyze
if: github.triggering_actor != 'dependabot[bot]'
needs: upload-artifacts
timeout-minutes: 45
permissions:
.github/workflows/debug-artifacts-safe.yml
+2
View File
@@ -23,6 +23,7 @@ defaults:
jobs:
upload-artifacts:
if: github.triggering_actor != 'dependabot[bot]'
strategy:
fail-fast: false
matrix:
@@ -64,6 +65,7 @@ jobs:
id: analysis
download-and-check-artifacts:
name: Download and check debug artifacts
if: github.triggering_actor != 'dependabot[bot]'
needs: upload-artifacts
timeout-minutes: 45
permissions:
.github/workflows/pr-checks.yml
+3 -2
View File
@@ -15,6 +15,7 @@ defaults:
jobs:
unit-tests:
name: Unit Tests
if: github.triggering_actor != 'dependabot[bot]'
strategy:
fail-fast: false
matrix:
@@ -31,7 +32,7 @@ jobs:
run: git config --global core.autocrlf false
- uses: actions/checkout@v5
- name: Set up Node.js
uses: actions/setup-node@v5
with:
@@ -75,7 +76,7 @@ jobs:
category: eslint
check-node-version:
if: github.event.pull_request
if: github.event.pull_request && github.triggering_actor != 'dependabot[bot]'
name: Check Action Node versions
runs-on: ubuntu-latest
timeout-minutes: 45
.github/workflows/python312-windows.yml
+1
View File
@@ -18,6 +18,7 @@ defaults:
jobs:
test-setup-python-scripts:
if: github.triggering_actor != 'dependabot[bot]'
env:
CODEQL_ACTION_TEST_MODE: true
timeout-minutes: 45
.github/workflows/query-filters.yml
+1
View File
@@ -22,6 +22,7 @@ defaults:
jobs:
query-filters:
name: Query Filters Tests
if: github.triggering_actor != 'dependabot[bot]'
timeout-minutes: 45
runs-on: ubuntu-latest
permissions:
.github/workflows/test-codeql-bundle-all.yml
+2 -1
View File
@@ -28,6 +28,7 @@ jobs:
- os: ubuntu-latest
version: nightly-latest
name: 'CodeQL Bundle All'
if: github.triggering_actor != 'dependabot[bot]'
permissions:
contents: read
security-events: read
@@ -46,7 +47,7 @@ jobs:
uses: ./../action/init
with:
# We manually exclude Swift from the languages list here, as it is not supported on Ubuntu
languages: cpp,csharp,go,java,javascript,python,ruby
languages: cpp,csharp,go,java,javascript,python,ruby
tools: ${{ steps.prepare-test.outputs.tools-url }}
- name: Build code
run: ./build.sh