From c43aaea75e6f86a45068e1311027c987b415c333 Mon Sep 17 00:00:00 2001
From: Martin Costello <martin@martincostello.com>
Date: Fri, 14 Feb 2025 15:17:07 +0000
Subject: [PATCH] Add CodeQL analysis for GitHub Actions

- Add CodeQL analysis for GitHub Actions.
- Refactor permissions.
- Add overall job/status for all languages.
- Standardize workflow with other repos.
---
 .../workflows/{code-scan.yml => codeql.yml}   | 32 +++++++++++++++----
 1 file changed, 25 insertions(+), 7 deletions(-)
 rename .github/workflows/{code-scan.yml => codeql.yml} (53%)

diff --git a/.github/workflows/code-scan.yml b/.github/workflows/codeql.yml
similarity index 53%
rename from .github/workflows/code-scan.yml
rename to .github/workflows/codeql.yml
index acf8f0f4..b4524c77 100644
--- a/.github/workflows/code-scan.yml
+++ b/.github/workflows/codeql.yml
@@ -1,4 +1,4 @@
-name: code-scan
+name: codeql
 
 on:
   push:
@@ -11,22 +11,21 @@ on:
   schedule:
     - cron: '0 6 * * 1'
 
-permissions:
-  actions: read
-  contents: read
+permissions: {}
 
 jobs:
-  code-ql:
-
+  analysis:
     runs-on: ubuntu-latest
 
     permissions:
+      actions: read
+      contents: read
       security-events: write
 
     strategy:
       fail-fast: false
       matrix:
-        language: [ 'csharp', 'javascript' ]
+        language: [ 'actions', 'csharp', 'javascript' ]
 
     steps:
     - name: Checkout repository
@@ -43,3 +42,22 @@ jobs:
       uses: github/codeql-action/analyze@v3
       with:
         category: '/language:${{ matrix.language }}'
+
+  codeql:
+    if: ${{ !cancelled() }}
+    needs: [ analysis ]
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Report status
+      shell: bash
+      env:
+        SCAN_SUCCESS: ${{ !contains(needs.*.result, 'failure') && !contains(needs.*.result, 'cancelled') }}
+      run: |
+        if [ "${SCAN_SUCCESS}" == "true" ]
+        then
+          echo 'CodeQL analysis successful ✅'
+        else
+          echo 'CodeQL analysis failed ❌'
+          exit 1
+        fi