use released shared workflow (#4914)

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2026-05-20 04:05:24 +02:00 · 2026-05-11 16:21:41 -04:00 · 2026-05-11 16:21:41 -04:00 · 997a486e22
commit 997a486e22
parent 4f64fbc004
1 changed files with 4 additions and 64 deletions
--- a/.github/workflows/codeql.yaml
+++ b/.github/workflows/codeql.yaml
@ -1,6 +1,3 @@
-# CodeQL scans for security vulnerabilities and coding errors across all
-# languages in this repo. Results appear in the "Security" tab under
-# "Code scanning alerts" and are enforced by branch protection rules.
 name: "CodeQL"

 on:
@ -8,74 +5,17 @@ on:
    branches: [ "main" ]
  pull_request:
    branches: [ "main" ]
-  # Weekly scheduled scan catches newly disclosed vulnerabilities in
-  # existing code, not just changes introduced by PRs.
  schedule:
    - cron: '38 11 * * 3'

+permissions: {}
+
 jobs:
  analyze:
-    name: Analyze (${{ matrix.language }})
-    runs-on: ubuntu-latest
+    name: Analyze
+    uses: anchore/workflows/.github/workflows/codeql.yaml@e8cee3a5916cebb68cda68b54c180f43394c1910 # v0.5.0
    permissions:
-      # Required to upload SARIF results to the "Security" tab.
      security-events: write
-      # Required to fetch internal or private CodeQL packs.
      packages: read
-      # Only required for workflows in private repositories.
      actions: read
      contents: read
-
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          # GitHub Actions workflow linting — no build needed.
-          - language: actions
-            build-mode: none
-
-          # Go uses "manual" build mode so we control exactly what gets
-          # compiled. The default "autobuild" finds the Makefile and runs
-          # the full CI pipeline (lint, test, snapshot release, etc.),
-          # which is far more work than CodeQL needs. All it requires is
-          # compiled Go source so it can build a type-resolved code graph
-          # for analysis.
-          - language: go
-            build-mode: manual
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-
-        with:
-          persist-credentials: false
-
-      # Pin the Go toolchain to whatever go.mod declares so CodeQL
-      # analyzes with the same version the project actually uses.
-      # Only runs for the Go matrix entry.
-      - name: Setup Go
-        if: matrix.language == 'go'
-        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
-        with:
-          go-version-file: go.mod
-
-      - name: Initialize CodeQL
-        uses: github/codeql-action/init@e46ed2cbd01164d986452f91f178727624ae40d7 # v4.35.3
-        with:
-          languages: ${{ matrix.language }}
-          build-mode: ${{ matrix.build-mode }}
-
-      # Minimal build for Go: compile all packages so CodeQL gets a full
-      # type-resolved code graph for analysis.
-      - name: Build (Go)
-        if: matrix.build-mode == 'manual'
-        shell: bash
-        run: go build ./...
-
-      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@e46ed2cbd01164d986452f91f178727624ae40d7 # v4.35.3
-        with:
-          # The category tag lets GitHub associate SARIF results with the
-          # correct language when branch protection checks for required
-          # code scanning results.
-          category: "/language:${{matrix.language}}"