PYTHON-5062 Add GitHub Actions CodeQL scanning (#321)

blink1073 · web-flow · commit 1433773db472 · 2025-01-27T09:41:00.000-06:00
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -26,7 +26,7 @@ on:
 
 jobs:
   analyze:
-    name: Analyze
+    name: Analyze ${{ matrix.language }}
     runs-on: ubuntu-latest
     timeout-minutes: 360
     permissions:
@@ -36,7 +36,12 @@ jobs:
       packages: read
       actions: read
       contents: read
-
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+        - language: python
+        - language: actions
     steps:
     - name: Checkout repository
       uses: actions/checkout@v4
@@ -52,7 +57,7 @@ jobs:
     - name: Initialize CodeQL
       uses: github/codeql-action/init@v3
       with:
-        languages: python
+        languages: ${{ matrix.language }}
         build-mode: none
         # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
         queries: security-extended
@@ -62,10 +67,11 @@ jobs:
             - 'test/**'
 
     - shell: bash
+      if: matrix.language == 'python'
       run: |
         pip install -e .
 
     - name: Perform CodeQL Analysis
       uses: github/codeql-action/analyze@v3
       with:
-        category: "/language:python"
+        category: "/language:${{matrix.language}}"
