workflows: Add Code Scanning

- https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning - I just joined the Code Scanning team at work and I figured I'd test out the actual product in the real world by seeing what things it points out for Homebrew, a reasonably large Ruby project. - This adds a config file to exclude `Library/Homebrew/vendor` as we can't fix problems within gems. :-)
2025-07-14 16:09:03 +08:00 · 2022-04-15 15:24:31 +01:00 · 2022-04-15 15:24:31 +01:00 · 266daffbd1
commit 266daffbd1
parent 04eab65849
2 changed files with 38 additions and 0 deletions
--- a/.github/codeql/codeql-config.yml
+++ b/.github/codeql/codeql-config.yml
@ -0,0 +1,2 @@
+paths-ignore:
+  - Library/Homebrew/vendor/
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@ -0,0 +1,36 @@
+name: "CodeQL"
+
+on:
+ push:
+   branches: [ master ]
+ pull_request:
+   branches: [ master ]
+ schedule:
+   - cron: '30 2 * * 0'
+
+jobs:
+ analyze:
+   name: Analyze
+   runs-on: ubuntu-latest
+   permissions:
+     actions: read
+     contents: read
+     security-events: write
+
+   strategy:
+     fail-fast: false
+     matrix:
+       language: [ 'ruby' ]
+
+   steps:
+   - name: Checkout repository
+     uses: actions/checkout@v3
+
+   - name: Initialize CodeQL
+     uses: github/codeql-action/init@v2
+     with:
+       languages: ${{ matrix.language }}
+       config-file: ./.github/codeql/codeql-config.yml
+
+   - name: Perform CodeQL Analysis
+     uses: github/codeql-action/analyze@v2