diff options
author | Kelvin M. Klann <kmk3.code@protonmail.com> | 2023-08-14 04:28:03 -0300 |
---|---|---|
committer | Kelvin M. Klann <kmk3.code@protonmail.com> | 2023-08-20 12:31:14 -0300 |
commit | 8d53acbbb26928da60b215c71de90293ec70fbe6 (patch) | |
tree | a3b6f04ee92b103af573638c7eb953fcf6aff590 /.github | |
parent | ci: trim comments in codeql-analysis.yml (diff) | |
download | firejail-8d53acbbb26928da60b215c71de90293ec70fbe6.tar.gz firejail-8d53acbbb26928da60b215c71de90293ec70fbe6.tar.zst firejail-8d53acbbb26928da60b215c71de90293ec70fbe6.zip |
ci: move codeql python job into its own workflow
Only run the CodeQL Python analysis if a .py file is changed.
Diffstat (limited to '.github')
-rw-r--r-- | .github/workflows/check-python.yml | 53 | ||||
-rw-r--r-- | .github/workflows/codeql-analysis.yml | 12 |
2 files changed, 54 insertions, 11 deletions
diff --git a/.github/workflows/check-python.yml b/.github/workflows/check-python.yml new file mode 100644 index 000000000..91b87650f --- /dev/null +++ b/.github/workflows/check-python.yml | |||
@@ -0,0 +1,53 @@ | |||
1 | name: Check-Python | ||
2 | |||
3 | on: | ||
4 | push: | ||
5 | paths: | ||
6 | - '**.py' | ||
7 | - .github/workflows/check-python.yml | ||
8 | pull_request: | ||
9 | paths: | ||
10 | - '**.py' | ||
11 | - .github/workflows/check-python.yml | ||
12 | schedule: | ||
13 | - cron: '0 7 * * 2' | ||
14 | |||
15 | permissions: # added using https://github.com/step-security/secure-workflows | ||
16 | contents: read | ||
17 | |||
18 | jobs: | ||
19 | codeql-python: | ||
20 | permissions: | ||
21 | actions: read | ||
22 | contents: read | ||
23 | security-events: write | ||
24 | runs-on: ubuntu-latest | ||
25 | |||
26 | steps: | ||
27 | - name: Harden Runner | ||
28 | uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 | ||
29 | with: | ||
30 | disable-sudo: true | ||
31 | egress-policy: block | ||
32 | allowed-endpoints: > | ||
33 | api.github.com:443 | ||
34 | files.pythonhosted.org:443 | ||
35 | github.com:443 | ||
36 | objects.githubusercontent.com:443 | ||
37 | pypi.org:443 | ||
38 | uploads.github.com:443 | ||
39 | |||
40 | - name: Checkout repository | ||
41 | uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 | ||
42 | |||
43 | - name: print env | ||
44 | run: ./ci/printenv.sh | ||
45 | |||
46 | # Initializes the CodeQL tools for scanning. | ||
47 | - name: Initialize CodeQL | ||
48 | uses: github/codeql-action/init@0ba4244466797eb048eb91a6cd43d5c03ca8bd05 | ||
49 | with: | ||
50 | languages: python | ||
51 | |||
52 | - name: Perform CodeQL Analysis | ||
53 | uses: github/codeql-action/analyze@0ba4244466797eb048eb91a6cd43d5c03ca8bd05 | ||
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index bb43f7d50..c16fd732c 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml | |||
@@ -44,14 +44,6 @@ jobs: | |||
44 | name: Analyze | 44 | name: Analyze |
45 | runs-on: ubuntu-latest | 45 | runs-on: ubuntu-latest |
46 | 46 | ||
47 | strategy: | ||
48 | fail-fast: false | ||
49 | matrix: | ||
50 | language: [ 'cpp', 'python' ] | ||
51 | # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python' ] | ||
52 | # Learn more: | ||
53 | # https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#changing-the-languages-that-are-analyzed | ||
54 | |||
55 | steps: | 47 | steps: |
56 | - name: Harden Runner | 48 | - name: Harden Runner |
57 | uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 | 49 | uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 |
@@ -60,10 +52,8 @@ jobs: | |||
60 | egress-policy: block | 52 | egress-policy: block |
61 | allowed-endpoints: > | 53 | allowed-endpoints: > |
62 | api.github.com:443 | 54 | api.github.com:443 |
63 | files.pythonhosted.org:443 | ||
64 | github.com:443 | 55 | github.com:443 |
65 | objects.githubusercontent.com:443 | 56 | objects.githubusercontent.com:443 |
66 | pypi.org:443 | ||
67 | uploads.github.com:443 | 57 | uploads.github.com:443 |
68 | 58 | ||
69 | - name: Checkout repository | 59 | - name: Checkout repository |
@@ -76,7 +66,7 @@ jobs: | |||
76 | - name: Initialize CodeQL | 66 | - name: Initialize CodeQL |
77 | uses: github/codeql-action/init@5b6282e01c62d02e720b81eb8a51204f527c3624 | 67 | uses: github/codeql-action/init@5b6282e01c62d02e720b81eb8a51204f527c3624 |
78 | with: | 68 | with: |
79 | languages: ${{ matrix.language }} | 69 | languages: cpp |
80 | 70 | ||
81 | # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). | 71 | # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). |
82 | # If this step fails, then you should remove it and run the build manually (see below) | 72 | # If this step fails, then you should remove it and run the build manually (see below) |