Skip to content

fix: add advanced codeql configuration that triggers for pull request from forks #53

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
fabianburth merged 4 commits into from
Mar 2, 2026
Merged

fix: add advanced codeql configuration that triggers for pull request from forks #53

Changes from 1 commit
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
c4d328a
fix: add advanced codeql configuration that triggers for pull request…
fabianburth Mar 2, 2026
0943fab
fix: switch from pull request target to pull request
fabianburth Mar 2, 2026
e733fee
fix: simplify checkout behavior after changing trigger
fabianburth Mar 2, 2026
bd4acd8
fix: remove obsolete actions permission
fabianburth Mar 2, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
66 changes: 66 additions & 0 deletions .github/workflows/codeql.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,66 @@
name: "CodeQL"

on:
push:
branches: [main]
pull_request_target:
branches: [main]
schedule:
# Run weekly on Monday at 07:25 UTC
- cron: "25 7 * * 1"

# For pull_request_target events, check out the fork's code.
# Falls back to the current repository/ref for push and schedule events.
env:
REF: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.ref || github.ref }}
REPO: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name || github.repository }}

# Top-level permissions: restrict to read-only by default.
permissions:
contents: read

jobs:
analyze:
name: Analyze (${{ matrix.language }})
runs-on: ubuntu-latest
timeout-minutes: 360
permissions:
# Required to upload CodeQL results to the Security tab.
security-events: write
# Required to check out the repository.
contents: read
# Required for workflows in private repositories.
actions: read

strategy:
fail-fast: false
matrix:
include:
- language: go
- language: actions

env:
# This repository uses CGO (github.com/miekg/pkcs11).
CGO_ENABLED: 1

steps:
- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
repository: ${{ env.REPO }}
ref: ${{ env.REF }}

- name: Initialize CodeQL
Comment on lines +39 to +42

Check failure

Code scanning / CodeQL

Checkout of untrusted code in trusted context

Potential execution of untrusted code on a privileged workflow ([pull_request_target](1))
uses: github/codeql-action/init@45580472a5bb82c4681c4ac726cfdb60060c2ee1 # v3
with:
languages: ${{ matrix.language }}
queries: security-extended

- name: Autobuild
if: matrix.language == 'go'
uses: github/codeql-action/autobuild@45580472a5bb82c4681c4ac726cfdb60060c2ee1 # v3

- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@45580472a5bb82c4681c4ac726cfdb60060c2ee1 # v3
with:
category: "/language:${{ matrix.language }}"
Loading