Implement CodeQL Security Scan in workflow #9871
+24
−0
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|
|
|
@@ -75,3 +75,27 @@ jobs: | |||||||||
| run: pylinkvalidate.py -P http://localhost:8000/ | ||||||||||
|
|
||||||||||
| - run: echo "Done" | ||||||||||
|
|
||||||||||
| codeql: | ||||||||||
| name: CodeQL Security Scan | ||||||||||
| runs-on: ubuntu-latest | ||||||||||
|
|
||||||||||
| permissions: | ||||||||||
| security-events: write | ||||||||||
| contents: read | ||||||||||
|
|
||||||||||
| steps: | ||||||||||
| - name: Checkout code | ||||||||||
| uses: actions/checkout@v4 | ||||||||||
|
There was a problem hiding this comment.
Suggested change
|
||||||||||
|
|
||||||||||
| - name: Initialize CodeQL | ||||||||||
| uses: github/codeql-action/init@v3 | ||||||||||
| with: | ||||||||||
| languages: python | ||||||||||
| queries: security-and-quality | ||||||||||
|
|
||||||||||
| # Para Python NO hace falta build ni dependencias | ||||||||||
| # CodeQL analiza el código fuente directamente | ||||||||||
|
Comment on lines
+97
to
+98
Member
There was a problem hiding this comment. Please remove these comments or write them in English... From my basic Spanish they don't seem to add a lot of value, so I would lean towards removing
Comment on lines
+97
to
+98
There was a problem hiding this comment. The added inline comments are in Spanish, while the rest of the workflows in this repo are written in English. Please translate these to English to keep CI configuration maintainable for the broader contributor base.
Suggested change
|
||||||||||
|
|
||||||||||
| - name: Perform CodeQL Analysis | ||||||||||
| uses: github/codeql-action/analyze@v3 | ||||||||||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This job requests
security-events: write, which GitHub does not grant to workflows triggered from forked PRs. Since the workflow runs onpull_request, this job is likely to fail for external contributors. Consider guarding the job/steps to skip on forks, or run CodeQL only onpush/schedule(or usepull_request_targetwith appropriate hardening).