Build

Bump github/codeql-action from 4.34.1 to 4.35.1 #362

	name: Build

	on:
	push:
	branches:
	- main
	pull_request:

	permissions:
	contents: read

	jobs:
	build:
	permissions:
	contents: read # for actions/checkout to fetch code
	pull-requests: read # for SonarSource/sonarcloud-github-action to determine which PR to decorate
	name: Build
	strategy:
	matrix:
	python-version: [ "3.11", "3.12", "3.13" ]
	runs-on: ubuntu-latest
	steps:
	- name: Harden Runner
	uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
	with:
	egress-policy: audit

	- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
	with:
	fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis

	- name: Set up Python ${{ matrix.python-version }}
	uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
	with:
	python-version: ${{ matrix.python-version }}

	- name: Set poetry
	uses: abatilo/actions-poetry@0dd19c9498c3dc8728967849d0d2eae428a8a3d8 # v4
	with:
	poetry-version: '2.1.2'

	- name: Setup environment
	run: poetry install

	- name: Run Tests
	run: \|
	poetry run pytest --cov blitzortung --cov-report xml --cov-report term --junitxml=junit.xml tests

	- name: Build
	run: \|
	poetry build

	- name: SonarCloud Scan
	if: matrix.python-version == '3.12' && github.secret_source == 'Actions'
	uses: SonarSource/sonarqube-scan-action@v7.0.0
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any
	SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}

Provide feedback