diff options
author | Kelvin M. Klann <kmk3.code@protonmail.com> | 2023-08-14 04:28:03 -0300 |
---|---|---|
committer | Kelvin M. Klann <kmk3.code@protonmail.com> | 2023-08-20 12:31:14 -0300 |
commit | 8d53acbbb26928da60b215c71de90293ec70fbe6 (patch) | |
tree | a3b6f04ee92b103af573638c7eb953fcf6aff590 /.github/workflows/check-python.yml | |
parent | ci: trim comments in codeql-analysis.yml (diff) | |
download | firejail-8d53acbbb26928da60b215c71de90293ec70fbe6.tar.gz firejail-8d53acbbb26928da60b215c71de90293ec70fbe6.tar.zst firejail-8d53acbbb26928da60b215c71de90293ec70fbe6.zip |
ci: move codeql python job into its own workflow
Only run the CodeQL Python analysis if a .py file is changed.
Diffstat (limited to '.github/workflows/check-python.yml')
-rw-r--r-- | .github/workflows/check-python.yml | 53 |
1 files changed, 53 insertions, 0 deletions
diff --git a/.github/workflows/check-python.yml b/.github/workflows/check-python.yml new file mode 100644 index 000000000..91b87650f --- /dev/null +++ b/.github/workflows/check-python.yml | |||
@@ -0,0 +1,53 @@ | |||
1 | name: Check-Python | ||
2 | |||
3 | on: | ||
4 | push: | ||
5 | paths: | ||
6 | - '**.py' | ||
7 | - .github/workflows/check-python.yml | ||
8 | pull_request: | ||
9 | paths: | ||
10 | - '**.py' | ||
11 | - .github/workflows/check-python.yml | ||
12 | schedule: | ||
13 | - cron: '0 7 * * 2' | ||
14 | |||
15 | permissions: # added using https://github.com/step-security/secure-workflows | ||
16 | contents: read | ||
17 | |||
18 | jobs: | ||
19 | codeql-python: | ||
20 | permissions: | ||
21 | actions: read | ||
22 | contents: read | ||
23 | security-events: write | ||
24 | runs-on: ubuntu-latest | ||
25 | |||
26 | steps: | ||
27 | - name: Harden Runner | ||
28 | uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 | ||
29 | with: | ||
30 | disable-sudo: true | ||
31 | egress-policy: block | ||
32 | allowed-endpoints: > | ||
33 | api.github.com:443 | ||
34 | files.pythonhosted.org:443 | ||
35 | github.com:443 | ||
36 | objects.githubusercontent.com:443 | ||
37 | pypi.org:443 | ||
38 | uploads.github.com:443 | ||
39 | |||
40 | - name: Checkout repository | ||
41 | uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 | ||
42 | |||
43 | - name: print env | ||
44 | run: ./ci/printenv.sh | ||
45 | |||
46 | # Initializes the CodeQL tools for scanning. | ||
47 | - name: Initialize CodeQL | ||
48 | uses: github/codeql-action/init@0ba4244466797eb048eb91a6cd43d5c03ca8bd05 | ||
49 | with: | ||
50 | languages: python | ||
51 | |||
52 | - name: Perform CodeQL Analysis | ||
53 | uses: github/codeql-action/analyze@0ba4244466797eb048eb91a6cd43d5c03ca8bd05 | ||