chore: migrate codeql analysis to composable action (#18)

- Use ivuorinen/actions/codeql-analysis composite action - Pin action ref to commit hash - Add queries: security-and-quality - Set proper permissions structure
2026-03-13 10:00:35 +00:00 · 2026-03-07 19:15:35 +02:00
parent 6b8b86ee6a
commit 718fc45dca
2 changed files with 34 additions and 74 deletions
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -0,0 +1,34 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
+name: "CodeQL"
+
+on:
+  push:
+    branches: ["master"]
+  pull_request:
+    branches: ["master"]
+  schedule:
+    - cron: "30 1 * * 0"
+  merge_group:
+
+permissions: {}
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      packages: read
+      security-events: write
+    strategy:
+      fail-fast: false
+      matrix:
+        language: ["actions", "python"]
+    steps:
+      - name: CodeQL Analysis
+        uses: ivuorinen/actions/codeql-analysis@97105fc2a909360678588cb50caf0be5144be486 # v2026.03.06
+        with:
+          language: ${{ matrix.language }}
+          queries: security-and-quality