get.porter.sh/porter@v1.3.0/.github/workflows/codeql.yaml

get.porter.sh/porter@v1.3.0/.github/workflows/codeql.yaml (about)

     1  # Scan our binaries for vulnerabilities
     2  name: CodeQL
     3  on:
     4    # always do a security scan when a change is merged
     5    push:
     6      branches-ignore:
     7        # Disable running the push event for dependabot.
     8        # Dependabot pushes to branches in our repo, not in a fork. This causes the push event to trigger for dependabot PRs and the CodeQL check fails.
     9        - "dependabot/**"
    10    # Only do a security scan on a PR when there are non-doc changes to save time
    11    pull_request_target:
    12      paths-ignore:
    13        - 'docs/**'
    14  
    15  jobs:
    16    scan:
    17      runs-on: ubuntu-latest
    18      steps:
    19        - name: Checkout
    20          uses: actions/checkout@v3
    21          with:
    22            fetch-depth: 0 # Get all git history
    23        - name: Set up Go
    24          uses: actions/setup-go@v4
    25          with:
    26            go-version-file: go.mod
    27            cache: true
    28        # Run anything that isn't compiling Porter before we init codeql replaces the go binary and makes everything exponentially slower
    29        - name: Download Dependencies
    30          run: go mod download
    31        - name: Configure Agent
    32          run: go run mage.go -v ConfigureAgent InstallBuildTools
    33        - name: Initialize CodeQL
    34          uses: github/codeql-action/init@v2
    35          with:
    36            languages: go
    37        - name: Build Binaries
    38          run: mage -v BuildPorter BuildExecMixin BuildAgent
    39        - name: Perform CodeQL Analysis
    40          uses: github/codeql-action/analyze@v2