codeql.yml

name: "CodeQL"

on:
  workflow_dispatch:
  push:
    branches: [ "main" ]
  pull_request:
    branches: [ "main" ]
  schedule:
    - cron: "37 4 * * 0"

permissions:
  contents: read

jobs:
  analyze:
    name: Analyze
    runs-on: ubuntu-latest
    permissions:
      actions: read
      contents: read
      security-events: write

    strategy:
      fail-fast: false
      matrix:
        language: [ Python ]

    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
        with:
          egress-policy: audit

      - name: Set up Python
        uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b
        with:
          python-version: 3.12.4

      - name: Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v3.5.2

      - name: Initialize CodeQL
        uses: github/codeql-action/init@aa578102511db1f4524ed59b8cc2bae4f6e88195 # v2.3.3
        with:
          languages: ${{ matrix.language }}
          queries: +security-and-quality

      - name: Autobuild
        uses: github/codeql-action/autobuild@aa578102511db1f4524ed59b8cc2bae4f6e88195 # v2.3.3

      - name: Perform CodeQL Analysis
        uses: github/codeql-action/analyze@aa578102511db1f4524ed59b8cc2bae4f6e88195 # v2.3.3
        with:
          category: "/language:${{ matrix.language }}"
                    
      - name: CodeQL and Dependabot Report Action
        if: ${{ github.event_name == 'workflow_dispatch' }}
        uses: rsdmike/github-security-report-action@a149b24539044c92786ec39af8ba38c93496495d # v3.0.4
        with:
          template: report
          token: ${{ secrets.SECURITY_TOKEN }}

      - name: GitHub Upload Release Artifacts
        if: ${{ github.event_name == 'workflow_dispatch' }}
        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
        with:
          name: report
          path: |
             ./report.pdf