blob: 352d88fdab3169571ea337b1e254d648daca3596 [file] [edit]
# Run https://codeql.github.com/, a static C code analyzer.
on:
# Manual trigger (Actions tab or `gh workflow run`); ignores the path
# filters below, so it runs even when no C file changed.
workflow_dispatch:
push:
branches: [master]
paths: &c_paths
- ".github/workflows/codeql.yml"
- "**.c"
- "**.h"
pull_request:
paths: *c_paths
name: codeql
permissions:
actions: read
contents: read
security-events: write
concurrency:
group: ${{ github.ref }}-${{ github.workflow }}-${{ github.event_name }}-${{ github.ref == format('refs/heads/{0}', github.event.repository.default_branch) && github.sha || '' }}
cancel-in-progress: true
jobs:
analyze:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v5
- uses: actions/setup-python@v6
with:
python-version: "3.x"
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: c-cpp
queries: security-and-quality
- name: Build C extensions
run: |
python -m pip install --upgrade pip setuptools
make build
- name: Perform CodeQL analysis
uses: github/codeql-action/analyze@v3