ci: Add CodeQL workflow (#243)

utpilla · web-flow · commit 562c7acf7897 · 2025-04-09T14:15:14.000-07:00
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -1,6 +1,10 @@
 name: CI
 env:
   CI: true
+
+permissions:
+  contents: read
+  
 on:
   pull_request:
   push:
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -0,0 +1,45 @@
+name: "CodeQL Analysis"
+
+env:    
+    CODEQL_ENABLE_EXPERIMENTAL_FEATURES : true # CodeQL support for Rust is experimental
+
+permissions:
+  contents: read
+
+on:
+  pull_request:
+  push:
+    branches: [main]
+  workflow_dispatch:
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write # for github/codeql-action/autobuild to send a status report
+
+    strategy:
+      fail-fast: false
+
+    steps:
+    - name: Harden the runner (Audit all outbound calls)
+      uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1
+      with:
+        egress-policy: audit
+
+    - name: Checkout repository
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      with:
+        submodules: true
+
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@45775bd8235c68ba998cffa5171334d58593da47 # v3.28.15
+      with:
+        languages: rust
+
+    - name: Autobuild
+      uses: github/codeql-action/autobuild@45775bd8235c68ba998cffa5171334d58593da47 # v3.28.15
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@45775bd8235c68ba998cffa5171334d58593da47 # v3.28.15
diff --git a/.github/workflows/fossa.yml b/.github/workflows/fossa.yml
@@ -1,13 +1,13 @@
 name: FOSSA scanning
 
+permissions:
+  contents: read
+
 on:
   push:
     branches:
       - main
 
-permissions:
-  contents: read
-
 jobs:
   fossa:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/ossf-scorecard.yml b/.github/workflows/ossf-scorecard.yml
@@ -8,7 +8,8 @@ on:
     - cron: "44 17 * * 0" # once a week
   workflow_dispatch:
 
-permissions: read-all
+permissions:
+  contents: read
 
 jobs:
   analysis:
diff --git a/.github/workflows/pr_naming.yml b/.github/workflows/pr_naming.yml
@@ -1,5 +1,8 @@
 name: PR Conventional Commit Validation
 
+permissions:
+  contents: read
+
 on:
   pull_request:
     types: [opened, synchronize, reopened, edited]
