PYTHON-5062 Add GitHub Actions CodeQL scanning (#321)

2025-01-27 09:41:00 -06:00 · 2025-01-27 09:41:00 -06:00 · 1433773db4
commit 1433773db4
parent 459760f4b4
1 changed files with 10 additions and 4 deletions
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@ -26,7 +26,7 @@ on:

 jobs:
  analyze:
-    name: Analyze
+    name: Analyze ${{ matrix.language }}
    runs-on: ubuntu-latest
    timeout-minutes: 360
    permissions:
@ -36,7 +36,12 @@ jobs:
      packages: read
      actions: read
      contents: read
-
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+        - language: python
+        - language: actions
    steps:
    - name: Checkout repository
      uses: actions/checkout@v4
@ -52,7 +57,7 @@ jobs:
    - name: Initialize CodeQL
      uses: github/codeql-action/init@v3
      with:
-        languages: python
+        languages: ${{ matrix.language }}
        build-mode: none
        # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
        queries: security-extended
@ -62,10 +67,11 @@ jobs:
            - 'test/**'

    - shell: bash
+      if: matrix.language == 'python'
      run: |
        pip install -e .

    - name: Perform CodeQL Analysis
      uses: github/codeql-action/analyze@v3
      with:
-        category: "/language:python"
+        category: "/language:${{matrix.language}}"