From 997a486e2251ec3fa709a3f54f51c15e8e312905 Mon Sep 17 00:00:00 2001 From: Alex Goodman Date: Mon, 11 May 2026 16:21:41 -0400 Subject: [PATCH] use released shared workflow (#4914) Signed-off-by: Alex Goodman --- .github/workflows/codeql.yaml | 68 +++-------------------------------- 1 file changed, 4 insertions(+), 64 deletions(-) diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml index ed680114c..00dda1922 100644 --- a/.github/workflows/codeql.yaml +++ b/.github/workflows/codeql.yaml @@ -1,6 +1,3 @@ -# CodeQL scans for security vulnerabilities and coding errors across all -# languages in this repo. Results appear in the "Security" tab under -# "Code scanning alerts" and are enforced by branch protection rules. name: "CodeQL" on: @@ -8,74 +5,17 @@ on: branches: [ "main" ] pull_request: branches: [ "main" ] - # Weekly scheduled scan catches newly disclosed vulnerabilities in - # existing code, not just changes introduced by PRs. schedule: - cron: '38 11 * * 3' +permissions: {} + jobs: analyze: - name: Analyze (${{ matrix.language }}) - runs-on: ubuntu-latest + name: Analyze + uses: anchore/workflows/.github/workflows/codeql.yaml@e8cee3a5916cebb68cda68b54c180f43394c1910 # v0.5.0 permissions: - # Required to upload SARIF results to the "Security" tab. security-events: write - # Required to fetch internal or private CodeQL packs. packages: read - # Only required for workflows in private repositories. actions: read contents: read - - strategy: - fail-fast: false - matrix: - include: - # GitHub Actions workflow linting — no build needed. - - language: actions - build-mode: none - - # Go uses "manual" build mode so we control exactly what gets - # compiled. The default "autobuild" finds the Makefile and runs - # the full CI pipeline (lint, test, snapshot release, etc.), - # which is far more work than CodeQL needs. All it requires is - # compiled Go source so it can build a type-resolved code graph - # for analysis. - - language: go - build-mode: manual - - steps: - - name: Checkout repository - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - - with: - persist-credentials: false - - # Pin the Go toolchain to whatever go.mod declares so CodeQL - # analyzes with the same version the project actually uses. - # Only runs for the Go matrix entry. - - name: Setup Go - if: matrix.language == 'go' - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 - with: - go-version-file: go.mod - - - name: Initialize CodeQL - uses: github/codeql-action/init@e46ed2cbd01164d986452f91f178727624ae40d7 # v4.35.3 - with: - languages: ${{ matrix.language }} - build-mode: ${{ matrix.build-mode }} - - # Minimal build for Go: compile all packages so CodeQL gets a full - # type-resolved code graph for analysis. - - name: Build (Go) - if: matrix.build-mode == 'manual' - shell: bash - run: go build ./... - - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@e46ed2cbd01164d986452f91f178727624ae40d7 # v4.35.3 - with: - # The category tag lets GitHub associate SARIF results with the - # correct language when branch protection checks for required - # code scanning results. - category: "/language:${{matrix.language}}"