PR: CodeQL security scan #585
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: "PR: CodeQL security scan" | |
| on: | |
| # When changes are pushed to special branches | |
| # Branch `develop` and `domain-*` are handled by continuous-integration.yml, which calls this workflow | |
| push: | |
| branches: [main] | |
| schedule: | |
| - cron: 31 6 * * 5 | |
| # Allow manual triggering | |
| workflow_dispatch: | |
| # Trigger when called by another GitHub Action | |
| workflow_call: | |
| jobs: | |
| analyze: | |
| name: Analyze | |
| runs-on: ubuntu-latest | |
| concurrency: ${{ github.workflow }}-${{ matrix.language }}-${{ github.ref }} | |
| permissions: | |
| actions: read | |
| contents: read | |
| security-events: write | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| language: | |
| - java | |
| - python | |
| - ruby | |
| steps: | |
| - name: "Checkout source code" | |
| uses: actions/checkout@v4 | |
| - name: Set up VRO build env | |
| uses: ./.github/actions/setup-vro | |
| # Run a build in case it results in new files being generated but don't test since that is done in a different workflow. | |
| # https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/customizing-code-scanning#configuring-code-scanning-for-compiled-languages | |
| - name: Build VRO without testing | |
| run: ./gradlew build -x test -x check | |
| - name: Run Code Scanning | |
| uses: department-of-veterans-affairs/codeql-tools/codeql-analysis@main | |
| with: | |
| language: ${{ matrix.language }} |