ai-native-python/{{cookiecutter.project_name}}/.github/workflows/security.yml at 8a1e817e89e2f89e0ce3a8b87d90b31906ef0f0f · Zenable-io/ai-native-python · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
---
name: "Security"

on:
{%- if cookiecutter.public == 'yes' %}
  push:
    branches:
      - main
  pull_request:
    branches:
      - main
  schedule:
    - cron: '{{ range(0, 59) | random }} {{ range(2, 4) | random }} * * *'
{%- endif %}
  workflow_dispatch:

permissions:
  contents: read
  security-events: write

env:
  python_version: "{{ cookiecutter.python_version }}"

defaults:
  run:
    shell: 'bash --noprofile --norc -Eeuo pipefail {0}'

jobs:
  analyze:
    name: CodeQL
    runs-on: ubuntu-latest
    steps:
      - name: Checkout the repository
        uses: actions/checkout@v6
        with:
          persist-credentials: 'false'
      - name: Bootstrap repository
        uses: ./.github/actions/bootstrap
        with:
          token: ${{ "{{ secrets.GITHUB_TOKEN }}" }}
          python-version: ${{ "{{ env.python_version }}" }}
      - name: Set CodeQL Python path
        run: |
          echo "CODEQL_PYTHON=$(uv run which python)" | tee -a "${GITHUB_ENV}"
      - name: Initialize CodeQL
        uses: github/codeql-action/init@v3
        with:
          setup-python-dependencies: false
      - name: Perform CodeQL Analysis
        uses: github/codeql-action/analyze@v3