Skip to content
CodeQL Advanced

chore(deps): bump github/codeql-action in the all group (#1436) #1478

Sign in to view logs

chore(deps): bump github/codeql-action in the all group (#1436)

chore(deps): bump github/codeql-action in the all group (#1436) #1478

Workflow file for this run

.github/workflows/codeql.yaml at f9bbba1
# Copyright 2025 Chainguard, Inc.
# SPDX-License-Identifier: Apache-2.0
name: "CodeQL Advanced"
on:
pull_request:
push:
branches: ["main"]
schedule:
- cron: "35 23 * * 0"
env:
CODEQL_EXTRACTOR_GO_BUILD_TRACING: "on"
YARA_X_RELEASE: "1.14.0"
permissions: {}
jobs:
analyze:
if: ${{ github.repository == 'chainguard-dev/malcontent' }}
runs-on: ubuntu-latest-16-core
permissions:
actions: read
contents: read
packages: read
security-events: write
steps:
- uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
with:
egress-policy: audit
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Cache yara-x-capi installation
id: yara-x-capi
uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
with:
path: yara-x-install
key: yara-x-capi-v${{ env.YARA_X_RELEASE }}-${{ runner.os }}
- name: Checkout virusTotal/yara-x
if: steps.yara-x-capi.outputs.cache-hit != 'true'
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0
fetch-tags: true
repository: virusTotal/yara-x
path: yara-x
ref: refs/tags/v${{ env.YARA_X_RELEASE }}
- name: Install Rust for yara-x-capi
if: steps.yara-x-capi.outputs.cache-hit != 'true'
uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9
with:
toolchain: stable
- name: Cache Rust dependencies
if: steps.yara-x-capi.outputs.cache-hit != 'true'
uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
with:
path: |
~/.cargo/registry/
~/.cargo/git/
key: rust-cargo-v${{ env.YARA_X_RELEASE }}-${{ runner.os }}
restore-keys: rust-cargo-
- name: Build yara-x-capi
if: steps.yara-x-capi.outputs.cache-hit != 'true'
run: |
command -v cargo-cinstall || cargo install cargo-c --locked
cd ${{ github.workspace }}/yara-x
RUSTFLAGS="-C target-feature=+crt-static" cargo cinstall -p yara-x-capi --features=native-code-serialization \
--profile release-lto \
--pkgconfigdir=${{ github.workspace }}/yara-x-install \
--includedir=${{ github.workspace }}/yara-x-install \
--libdir=${{ github.workspace }}/yara-x-install \
--crt-static --library-type="staticlib"
rm -rf ${{ github.workspace }}/yara-x
- name: Set up Go
uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
with:
go-version-file: "go.mod"
check-latest: true
cache: true
- name: Initialize CodeQL
uses: github/codeql-action/init@38697555549f1db7851b81482ff19f1fa5c4fedc # v4.34.1
with:
languages: go
build-mode: manual
- run: |
go build -o /dev/null ./...
go test -o /dev/null -c ./...
env:
PKG_CONFIG_PATH: ${{ github.workspace }}/yara-x-install
LD_LIBRARY_PATH: ${{ github.workspace }}/yara-x-install
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@38697555549f1db7851b81482ff19f1fa5c4fedc # v4.34.1
with:
category: "/language:go"
analyze-actions:
if: ${{ github.repository == 'chainguard-dev/malcontent' }}
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
packages: read
security-events: write
steps:
- uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
with:
egress-policy: audit
- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Initialize CodeQL
uses: github/codeql-action/init@38697555549f1db7851b81482ff19f1fa5c4fedc # v4.34.1
with:
languages: actions
build-mode: none
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@38697555549f1db7851b81482ff19f1fa5c4fedc # v4.34.1
with:
category: "/language:actions"