ci: Harden GitHub Actions (#2913)

utpilla · web-flow · commit e680514e4fe6 · 2025-04-07T19:55:50.000-07:00
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -0,0 +1,43 @@
+name: "CodeQL Analysis"
+
+env:    
+    CODEQL_ENABLE_EXPERIMENTAL_FEATURES : true # CodeQL support for Rust is experimental
+
+permissions: read-all
+
+on:
+  schedule:
+    - cron: '0 0 * * *' # once in a day at 00:00
+  workflow_dispatch:
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write # for github/codeql-action/autobuild to send a status report
+
+    strategy:
+      fail-fast: false
+
+    steps:
+    - name: Harden the runner (Audit all outbound calls)
+      uses: step-security/harden-runner@v2
+      with:
+        egress-policy: audit
+
+    - name: Checkout repository
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      with:
+        submodules: true
+
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@45775bd8235c68ba998cffa5171334d58593da47 # v3.28.15
+      with:
+        languages: rust
+
+    - name: Autobuild
+      uses: github/codeql-action/autobuild@45775bd8235c68ba998cffa5171334d58593da47 # v3.28.15
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@45775bd8235c68ba998cffa5171334d58593da47 # v3.28.15
