fix: add actions language, fix gate job, align with default template

zouguangxian · zouguangxian · commit a9aaf232a77d · 2026-03-06T18:31:05.000Z
- Add 'actions' language to matrix (scans workflow files for security issues)
- Add 'packages: read' permission (required for CodeQL packs)
- Use matrix include syntax with per-language build-mode
- Rename gate job to 'all-checks' with jq pattern matching ci.yml
- Stagger schedule cron to avoid thundering herd
- Remove unnecessary submodules checkout
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -14,7 +14,7 @@ on:
       - main
       - dev
   schedule:
-    - cron: "0 0 * * 1"
+    - cron: "27 12 * * 4"
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
@@ -23,74 +23,67 @@ concurrency:
 permissions:
   contents: read
   security-events: write
+  packages: read
   actions: read
 
 jobs:
   analyze:
-    name: CodeQL Analysis
+    name: Analyze (${{ matrix.language }})
     runs-on: ubuntu-latest
     timeout-minutes: 30
 
     strategy:
       fail-fast: false
       matrix:
-        language: ["rust"]
+        include:
+          - language: actions
+            build-mode: none
+          - language: rust
+            build-mode: none
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
-        with:
-          submodules: true
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v4
+        uses: github/codeql-action/init@0d579ffd059c29b07949a3cce3983f0780820c98 # v4
         with:
           languages: ${{ matrix.language }}
-          build-mode: none
+          build-mode: ${{ matrix.build-mode }}
           queries: security-extended
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v4
+        uses: github/codeql-action/analyze@0d579ffd059c29b07949a3cce3983f0780820c98 # v4
         with:
           category: "/language:${{ matrix.language }}"
 
   shellcheck:
     name: Shell Script Lint
     runs-on: ubuntu-latest
     timeout-minutes: 5
-    needs: analyze
 
     permissions:
       contents: read
       security-events: write
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
       - name: Run ShellCheck
-        uses: ludeeus/action-shellcheck@2.0.0
+        uses: ludeeus/action-shellcheck@00cae500b08a931fb5698e11e79bfbd38e612a38 # 2.0.0
         with:
           scandir: "."
           format: gcc
           severity: warning
-        continue-on-error: true
 
-  CodeQL:
+  all-checks:
     name: CodeQL
-    runs-on: ubuntu-latest
     needs: [analyze, shellcheck]
-    if: always()
-
+    if: ${{ !cancelled() }}
+    runs-on: ubuntu-latest
     steps:
-      - name: Check all jobs succeeded
+      - name: Conclusion
         run: |
-          if [ "${{ needs.analyze.result }}" != "success" ]; then
-            echo "CodeQL analysis failed"
-            exit 1
-          fi
-          if [ "${{ needs.shellcheck.result }}" != "success" ]; then
-            echo "ShellCheck lint failed"
-            exit 1
-          fi
-          echo "All security checks passed!"
+          jq -C <<< '${{ toJson(needs) }}'
+          jq --exit-status 'all(.result == "success")' <<< '${{ toJson(needs) }}'
