feat: codeql advanced (#1322)

erikburt · web-flow · commit 95fcab616d91 · 2025-11-12T14:44:44.000-08:00
diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml
@@ -0,0 +1,105 @@
+name: "CodeQL Advanced"
+
+on:
+  pull_request:
+  schedule:
+    - cron: "22 22 * * 2"
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  filter:
+    name: Detect Changes
+    permissions:
+      contents: read
+      pull-requests: read
+    outputs:
+      should-run-go: ${{ steps.changes.outputs.go-changes == 'true' || steps.changes.outputs.self-changes == 'true' || github.event_name == 'schedule' }}
+      should-run-python: ${{ steps.changes.outputs.python-changes == 'true' || steps.changes.outputs.self-changes == 'true' || github.event_name == 'schedule' }}
+      should-run-js-ts: ${{ steps.changes.outputs.js-ts-changes == 'true' || steps.changes.outputs.self-changes == 'true' || github.event_name == 'schedule' }}
+      should-run-actions: ${{ steps.changes.outputs.actions-changes == 'true' || github.event_name == 'schedule' }} # includes self-changes
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout the repo
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+          fetch-depth: 0
+
+      - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
+        id: changes
+        with:
+          list-files: shell
+          filters: |
+            go-changes:
+              - '**/*.go'
+              - '**/go.mod'
+              - '**/go.sum'
+            python-changes:
+              - '**/*.py'
+              - '**/requirements.txt'
+            js-ts-changes:
+              - '**/pnpm-lock.yaml'
+              - '**/*.js'
+              - '**/*.ts'
+              - '**/tsconfig.json'
+            actions-changes:
+              - '.github/workflows/**/*.yml'
+              - '.github/workflows/**/*.yaml'
+              - '**/action.yml'
+              - '**/action.yaml'
+            self-changes:
+              - '.github/workflows/codeql.yaml'
+
+  analyze:
+    name: Analyze (${{ matrix.language }})
+    runs-on: "ubuntu-latest"
+    permissions:
+      contents: read
+      # required for all workflows
+      security-events: write
+      # required to fetch internal or private CodeQL packs
+      packages: read
+      # required to get workflow run info via API
+      actions: read
+      # required for assumiming AWS IAM roles with OIDC
+      id-token: write
+    needs: filter
+
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - language: go
+            should-run: ${{ needs.filter.outputs.should-run-go }}
+            build-mode: autobuild
+
+          - language: python
+            should-run: ${{ needs.filter.outputs.should-run-python }}
+
+          - language: javascript-typescript
+            should-run: ${{ needs.filter.outputs.should-run-js-ts }}
+
+          - language: actions
+            should-run: ${{ needs.filter.outputs.should-run-actions }}
+
+    steps:
+      - name: Checkout repository
+        if: matrix.should-run
+        uses: actions/checkout@v4
+
+      # Initializes the CodeQL tools for scanning.
+      - name: Initialize CodeQL
+        if: matrix.should-run
+        uses: github/codeql-action/init@v4
+        with:
+          languages: ${{ matrix.language }}
+          build-mode: ${{ matrix.build-mode || '' }}
+
+      - name: Perform CodeQL Analysis
+        if: matrix.should-run
+        uses: github/codeql-action/analyze@v4
+        with:
+          category: "/language:${{matrix.language}}"
