| # Run https://codeql.github.com/, a static C code analyzer. |
| on: |
| # Manual trigger (Actions tab or `gh workflow run`); ignores the path |
| # filters below, so it runs even when no C file changed. |
| workflow_dispatch: |
| push: |
| branches: [master] |
| paths: &c_paths |
| - ".github/workflows/codeql.yml" |
| - "**.c" |
| - "**.h" |
| pull_request: |
| paths: *c_paths |
| name: codeql |
| permissions: |
| actions: read |
| contents: read |
| security-events: write |
| concurrency: |
| group: ${{ github.ref }}-${{ github.workflow }}-${{ github.event_name }}-${{ github.ref == format('refs/heads/{0}', github.event.repository.default_branch) && github.sha || '' }} |
| cancel-in-progress: true |
| jobs: |
| analyze: |
| runs-on: ubuntu-latest |
| steps: |
| - uses: actions/checkout@v5 |
| |
| - uses: actions/setup-python@v6 |
| with: |
| python-version: "3.x" |
| |
| - name: Initialize CodeQL |
| uses: github/codeql-action/init@v3 |
| with: |
| languages: c-cpp |
| queries: security-and-quality |
| |
| - name: Build C extensions |
| run: | |
| python -m pip install --upgrade pip setuptools |
| make build |
| |
| - name: Perform CodeQL analysis |
| uses: github/codeql-action/analyze@v3 |