prometheus/.github/workflows/codeql-analysis.yml

---
name: "CodeQL"

on:
  workflow_call:
  schedule:
    - cron: "26 14 * * 1"

permissions:
  contents: read
  security-events: write

jobs:
  analyze:
    name: Analyze
    runs-on: ubuntu-latest
    permissions:
      security-events: write

    strategy:
      fail-fast: false
      matrix:
        language: ["go", "javascript"]

    steps:
      - name: Checkout repository
        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
      - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
        with:
          go-version: '>=1.21 <1.22'

      - name: Initialize CodeQL
        uses: github/codeql-action/init@ddccb873888234080b77e9bc2d4764d5ccaaccf9 # v2.21.9
        with:
          languages: ${{ matrix.language }}

      - name: Autobuild
        uses: github/codeql-action/autobuild@ddccb873888234080b77e9bc2d4764d5ccaaccf9 # v2.21.9

      - name: Perform CodeQL Analysis
        uses: github/codeql-action/analyze@ddccb873888234080b77e9bc2d4764d5ccaaccf9 # v2.21.9
Proper support for go modules. (#10486) * Proper support for go modules. This pull requests makes Prometheus go-mod compatible. The general idea is to release the Prometheus libraries as v0.x releases, next to the v2.x tags used by end users. This is done by mirroring Prometheus 2.x tags with Prometheus 0.x tags. When v2.X.0 is released, we would release v0.X.0. Pre-go mod versions are retracted from go.mod. This is not nice but should work. Only v2.x tags will be built and released by CI. v0.x.x tags would just be normal tags in the repo, not promoted as releases. Signed-off-by: Julien Pivotto <roidelapluie@inuits.eu> 2022-04-12 09:00:54 +00:00			`---`
Add CodeQL Security Scanning Signed-off-by: Chris Aniszczyk <caniszczyk@gmail.com> 2020-12-02 23:48:39 +00:00			`name: "CodeQL"`

Update codeql-analysis.yml Signed-off-by: Matthieu MOREL <matthieu.morel35@gmail.com> 2023-01-25 19:12:26 +00:00			`on:`
Refactor UI publishing and polish tests (#11267) Signed-off-by: Julien Pivotto <roidelapluie@o11y.eu> Signed-off-by: Julien Pivotto <roidelapluie@o11y.eu> 2022-09-06 14:58:50 +00:00			`workflow_call:`
Add CodeQL Security Scanning Signed-off-by: Chris Aniszczyk <caniszczyk@gmail.com> 2020-12-02 23:48:39 +00:00			`schedule:`
fixes yamllint errors Signed-off-by: Michal Wasilewski <mwasilewski@gmx.com> 2021-06-12 10:47:47 +00:00			`- cron: "26 14 * * 1"`
Add CodeQL Security Scanning Signed-off-by: Chris Aniszczyk <caniszczyk@gmail.com> 2020-12-02 23:48:39 +00:00
ci: add minimum GitHub token permissions for workflows Signed-off-by: Ashish Kurmi <akurmi@stepsecurity.io> 2022-09-08 04:27:16 +00:00			`permissions:`
			`contents: read`
Update .github/workflows/codeql-analysis.yml Co-authored-by: Christian Hoffmann <christian@hoffie.info> Signed-off-by: Ashish Kurmi <100655670+boahc077@users.noreply.github.com> 2022-09-19 08:17:46 +00:00			`security-events: write`
ci: add minimum GitHub token permissions for workflows Signed-off-by: Ashish Kurmi <akurmi@stepsecurity.io> 2022-09-08 04:27:16 +00:00
Add CodeQL Security Scanning Signed-off-by: Chris Aniszczyk <caniszczyk@gmail.com> 2020-12-02 23:48:39 +00:00			`jobs:`
			`analyze:`
			`name: Analyze`
			`runs-on: ubuntu-latest`
Proper support for go modules. (#10486) * Proper support for go modules. This pull requests makes Prometheus go-mod compatible. The general idea is to release the Prometheus libraries as v0.x releases, next to the v2.x tags used by end users. This is done by mirroring Prometheus 2.x tags with Prometheus 0.x tags. When v2.X.0 is released, we would release v0.X.0. Pre-go mod versions are retracted from go.mod. This is not nice but should work. Only v2.x tags will be built and released by CI. v0.x.x tags would just be normal tags in the repo, not promoted as releases. Signed-off-by: Julien Pivotto <roidelapluie@inuits.eu> 2022-04-12 09:00:54 +00:00			`permissions:`
			`security-events: write`
Add CodeQL Security Scanning Signed-off-by: Chris Aniszczyk <caniszczyk@gmail.com> 2020-12-02 23:48:39 +00:00
			`strategy:`
			`fail-fast: false`
			`matrix:`
fixes yamllint errors Signed-off-by: Michal Wasilewski <mwasilewski@gmx.com> 2021-06-12 10:47:47 +00:00			`language: ["go", "javascript"]`
Add CodeQL Security Scanning Signed-off-by: Chris Aniszczyk <caniszczyk@gmail.com> 2020-12-02 23:48:39 +00:00
			`steps:`
fixes yamllint errors Signed-off-by: Michal Wasilewski <mwasilewski@gmx.com> 2021-06-12 10:47:47 +00:00			`- name: Checkout repository`
build(deps): bump actions/checkout from 3.0.0 to 4.1.0 (#12917) Bumps [actions/checkout](https://github.com/actions/checkout) from 3.0.0 to 4.1.0. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/v3...8ade135a41bc03ea155e62e844d188df1ea18608) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> 2023-10-31 11:48:17 +00:00			`uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0`
Hash-pin GitHub Actions Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> 2023-09-13 13:27:38 +00:00			`- uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0`
Proper support for go modules. (#10486) * Proper support for go modules. This pull requests makes Prometheus go-mod compatible. The general idea is to release the Prometheus libraries as v0.x releases, next to the v2.x tags used by end users. This is done by mirroring Prometheus 2.x tags with Prometheus 0.x tags. When v2.X.0 is released, we would release v0.X.0. Pre-go mod versions are retracted from go.mod. This is not nice but should work. Only v2.x tags will be built and released by CI. v0.x.x tags would just be normal tags in the repo, not promoted as releases. Signed-off-by: Julien Pivotto <roidelapluie@inuits.eu> 2022-04-12 09:00:54 +00:00			`with:`
Update Go version Update build/test to use Go 1.21. Signed-off-by: Michal Biesek <michalbiesek@gmail.com> 2023-08-14 21:14:09 +00:00			`go-version: '>=1.21 <1.22'`
Add CodeQL Security Scanning Signed-off-by: Chris Aniszczyk <caniszczyk@gmail.com> 2020-12-02 23:48:39 +00:00
fixes yamllint errors Signed-off-by: Michal Wasilewski <mwasilewski@gmx.com> 2021-06-12 10:47:47 +00:00			`- name: Initialize CodeQL`
build(deps): bump github/codeql-action from 1.0.26 to 2.21.9 (#12915) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 1.0.26 to 2.21.9. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/v1.0.26...ddccb873888234080b77e9bc2d4764d5ccaaccf9) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> 2023-10-31 11:49:04 +00:00			`uses: github/codeql-action/init@ddccb873888234080b77e9bc2d4764d5ccaaccf9 # v2.21.9`
fixes yamllint errors Signed-off-by: Michal Wasilewski <mwasilewski@gmx.com> 2021-06-12 10:47:47 +00:00			`with:`
			`languages: ${{ matrix.language }}`
Add CodeQL Security Scanning Signed-off-by: Chris Aniszczyk <caniszczyk@gmail.com> 2020-12-02 23:48:39 +00:00
fixes yamllint errors Signed-off-by: Michal Wasilewski <mwasilewski@gmx.com> 2021-06-12 10:47:47 +00:00			`- name: Autobuild`
build(deps): bump github/codeql-action from 1.0.26 to 2.21.9 (#12915) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 1.0.26 to 2.21.9. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/v1.0.26...ddccb873888234080b77e9bc2d4764d5ccaaccf9) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> 2023-10-31 11:49:04 +00:00			`uses: github/codeql-action/autobuild@ddccb873888234080b77e9bc2d4764d5ccaaccf9 # v2.21.9`
Add CodeQL Security Scanning Signed-off-by: Chris Aniszczyk <caniszczyk@gmail.com> 2020-12-02 23:48:39 +00:00
fixes yamllint errors Signed-off-by: Michal Wasilewski <mwasilewski@gmx.com> 2021-06-12 10:47:47 +00:00			`- name: Perform CodeQL Analysis`
build(deps): bump github/codeql-action from 1.0.26 to 2.21.9 (#12915) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 1.0.26 to 2.21.9. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/v1.0.26...ddccb873888234080b77e9bc2d4764d5ccaaccf9) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> 2023-10-31 11:49:04 +00:00			`uses: github/codeql-action/analyze@ddccb873888234080b77e9bc2d4764d5ccaaccf9 # v2.21.9`