Merge pull request #373 from opensensor/dependabot/npm_and_yarn/web/n… #508
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CodeQL | |
| on: | |
| push: | |
| branches: [main] | |
| schedule: | |
| # Run weekly on Mondays at 06:00 UTC to catch new CVE patterns | |
| - cron: '0 6 * * 1' | |
| workflow_dispatch: | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| permissions: | |
| actions: read | |
| contents: read | |
| security-events: write | |
| jobs: | |
| analyze: | |
| name: CodeQL Analysis | |
| runs-on: ubuntu-latest | |
| container: debian:sid-slim | |
| timeout-minutes: 45 | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| language: ['c-cpp'] | |
| steps: | |
| - name: Install build dependencies | |
| run: | | |
| apt-get update | |
| apt-get install -y \ | |
| git build-essential cmake pkg-config \ | |
| libavcodec-dev libavformat-dev libavutil-dev libswscale-dev \ | |
| libsqlite3-dev libuv1-dev libllhttp-dev libcurl4-openssl-dev \ | |
| libcjson-dev libmbedtls-dev libmosquitto-dev | |
| - name: Checkout | |
| uses: actions/checkout@v5 | |
| with: | |
| submodules: false | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/init@v4 | |
| with: | |
| languages: ${{ matrix.language }} | |
| # Use extended queries for more thorough security analysis | |
| queries: security-extended | |
| - name: Build for CodeQL | |
| run: | | |
| mkdir -p build && cd build | |
| cmake .. \ | |
| -DCMAKE_BUILD_TYPE=Release \ | |
| -DENABLE_SOD=OFF \ | |
| -DENABLE_GO2RTC=OFF \ | |
| -DBUILD_TESTS=OFF | |
| make -j$(nproc) | |
| - name: Perform CodeQL Analysis | |
| uses: github/codeql-action/analyze@v4 | |
| with: | |
| category: "/language:${{ matrix.language }}" | |