Enable codeql scanning (#1532)

This enables security vulnerability scanning using CodeQL.
2026-04-29 03:37:12 +02:00 · 2026-04-20 11:28:31 -07:00
parent 4058f391a3
commit a33e431433
4 changed files with 140 additions and 0 deletions
--- a/.github/codeql.pkl
+++ b/.github/codeql.pkl
@@ -0,0 +1,67 @@
+amends "@gha/Workflow.pkl"
+
+import "@gha/catalog.pkl"
+
+on {
+  push {
+    branches {
+      "main"
+    }
+  }
+  pull_request {}
+  schedule {
+    // Run at 01:38 on Saturday
+    new { cron = "38 1 * * 6" }
+  }
+}
+
+local class CodeQLScan {
+  language: String
+
+  `build-mode`: String
+}
+
+local scans: Listing<CodeQLScan> = new {
+  new {
+    language = "actions"
+    `build-mode` = "none"
+  }
+  new {
+    language = "java-kotlin"
+    `build-mode` = "autobuild"
+  }
+  new {
+    language = "javascript-typescript"
+    `build-mode` = "none"
+  }
+}
+
+jobs {
+  for (scan in scans) {
+    ["analyze-\(scan.language)"] {
+      name = "Analyze (\(scan.language))"
+      `runs-on` = "ubuntu-latest"
+      permissions {
+        `security-events` = "write"
+      }
+      steps {
+        catalog.`actions/checkout@v6`
+        new {
+          name = "Initialize CodeQL"
+          uses = "github/codeql-action/init@v4"
+          with {
+            ["languages"] = scan.language
+            ["build-mode"] = scan.`build-mode`
+          }
+        }
+        new {
+          name = "Perform CodeQL Analysis"
+          uses = "github/codeql-action/analyze@v4"
+          with {
+            ["category"] = "/language:\(scan.language)"
+          }
+        }
+      }
+    }
+  }
+}