e7db
diff --git a/‎.github/workflows/codeql.yml‎
Lines changed: 44 additions & 0 deletions b/‎.github/workflows/codeql.yml‎
Lines changed: 44 additions & 0 deletions
diff --git a/‎.github/workflows/docker-image.yml‎
Lines changed: 6 additions & 2 deletions b/‎.github/workflows/docker-image.yml‎
Lines changed: 6 additions & 2 deletions
@@ -0,0 +1,44 @@
+name: "CodeQL"
+
+on:
+  push:
+    tags:
+      - "*"
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+  schedule:
+    - cron: "0 6 * * 1"
+  workflow_dispatch:
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language:
+          - actions
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: ${{ matrix.language }}
+          queries: security-and-quality
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v3
+        with:
+          category: "/language:${{ matrix.language }}"
@@ -10,7 +10,7 @@ on:
     branches:
       - main
   schedule:
-    - cron: '0 0 * * *'
+    - cron: "0 6 * * 1"
   workflow_dispatch:
 
 permissions:
@@ -24,6 +24,8 @@ env:
 jobs:
   build:
     runs-on: ubuntu-latest
+    env:
+      HAS_DOCKERHUB_SECRETS: ${{ github.event_name != 'pull_request' || github.repository == github.event.pull_request.head.repo.full_name }}
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -32,6 +34,7 @@ jobs:
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
       - name: Login to Docker Hub
+        if: ${{ env.HAS_DOCKERHUB_SECRETS }}
         uses: docker/login-action@v3
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
@@ -64,6 +67,7 @@ jobs:
         with:
           context: .
           platforms: ${{ env.PLATFORMS }}
+          pull: true
           cache-from: type=gha
           cache-to: type=gha
           push: true
@@ -84,7 +88,7 @@ jobs:
           write-comment: true
           github-token: ${{ secrets.GITHUB_TOKEN }}
       - name: Update repo description
-        if: ${{ github.ref == 'refs/heads/main' }}
+        if: ${{ github.ref == 'refs/heads/main' && env.HAS_DOCKERHUB_SECRETS }}
         uses: peter-evans/dockerhub-description@v4
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}