ci(security): add clean CodeQL workflow v4

Neiland85 · Neiland85 · commit 2f0c5128c9d7 · 2025-12-11T02:21:55.000+01:00
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -1,62 +1,46 @@
-name: "CodeQL Analysis"
+name: "CodeQL Security Scan"
 
 on:
   push:
-    branches: [ "main", "feature/karpathy-lab-init" ]
+    branches:
+      - main
   pull_request:
-    branches: [ "main" ]
+    branches:
+      - main
   schedule:
-    # Run CodeQL every Monday at 9:00 AM UTC
-    - cron: '0 9 * * 1'
-  workflow_dispatch:
-
-permissions:
-  actions: read
-  contents: read
-  security-events: write
+    - cron: "0 3 * * 0"   # Opcional: escaneo semanal cada domingo a las 03:00
 
 jobs:
   analyze:
-    name: Analyze
+    name: Analyze code with CodeQL
     runs-on: ubuntu-latest
-    timeout-minutes: 30
+
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
 
     strategy:
       fail-fast: false
       matrix:
-        language: [ 'python' ]
+        language: ["python"]
 
     steps:
     - name: Checkout repository
       uses: actions/checkout@v4
       uses: actions/checkout@v6
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v4
+        with:
+          languages: ${{ matrix.language }}
+
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v4
 
-    - name: Initialize CodeQL
-      uses: github/codeql-action/init@v4
-      with:
-        languages: ${{ matrix.language }}
-        queries: security-extended,security-and-quality
-        config: |
-          paths-ignore:
-            - '**/test/**'
-            - '**/tests/**'
-            - '**/*_test.py'
-            - '**/test_*.py'
-
-    - name: Autobuild
-      uses: github/codeql-action/autobuild@v4
-
-    - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v4
-      with:
-        category: "/language:${{matrix.language}}"
-        upload: true
-        output: sarif-results
-
-    - name: Upload CodeQL results
-      uses: actions/upload-artifact@v4
-      if: always()
-      with:
-        name: codeql-results
-        path: sarif-results
-        retention-days: 30
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v4
+        with:
+          category: "/language:${{ matrix.language }}"
