name: "🔒 CodeQL Analysis"
on:
schedule:
- cron: "0 0 * * 1"
workflow_dispatch:
permissions:
contents: read
jobs:
codeql:
name: 🔒 CodeQL Analysis (Rust)
runs-on: ubuntu-latest
env:
CLICOLOR: 1
SCCACHE_GHA_ENABLED: "true"
RUSTC_WRAPPER: "sccache"
permissions:
actions: read
contents: read
security-events: write
steps:
- name: 🛡️ Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d with:
egress-policy: audit
- name: 📁 Check out the repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
- name: 📦 Set up sccache
uses: mozilla-actions/sccache-action@7d986dd989559c6ecdb630a3fd2557667be217ad with:
disable_annotations: true
- name: 📦 Cache Rust registry
uses: Swatinem/rust-cache@c19371144df3bb44fab255c43d04cbc2ab54d1c4 with:
shared-key: "codeql"
cache-targets: false
- name: 📦 Restore compiled dependencies
uses: actions/cache/restore@668228422ae6a00e4ad889ee87cd7109ec5666a7 with:
path: target/
key: target-full-${{ runner.os }}-${{ hashFiles('**/Cargo.lock') }}
restore-keys: target-full-${{ runner.os }}-
- name: 🛠️ Set up Rust toolchain
uses: dtolnay/rust-toolchain@631a55b12751854ce901bb631d5902ceb48146f7
- name: 🔒 Initialize CodeQL
uses: github/codeql-action/init@c10b8064de6f491fea524254123dbe5e09572f13 with:
languages: rust
- name: 🛠️ Build workspace
run: cargo build --workspace --all-features
- name: 🔒 Perform CodeQL Analysis
uses: github/codeql-action/analyze@c10b8064de6f491fea524254123dbe5e09572f13 with:
category: "/language:rust"