Update GitHub Actions workflow #77
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # | |
| # GitHub Actions workflow: Runs CodeQL against production code | |
| # | |
| # For more details on workflows, see README.md. | |
| # | |
| name: CodeQL | |
| # When to run this workflow | |
| # | |
| # See: https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows | |
| # See: https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#on | |
| # | |
| # TIP: Don't use "schedule" triggers as this will cause the workflow to be disabled after 60 days of inactivity | |
| # (and afterward the workflow must be manually reenabled). | |
| on: | |
| # Trigger the workflow on push to the main branch. | |
| push: | |
| branches: | |
| - main | |
| # Trigger the workflow for any pull requests. | |
| pull_request: | |
| # Allow manual run of this workflow (https://docs.github.com/en/actions/using-workflows/manually-running-a-workflow) | |
| workflow_dispatch: | |
| # Permissions for GITHUB_TOKEN for this workflow. | |
| # | |
| # See: https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token | |
| # | |
| # NOTE: Because we run with minimal permissions, we use "@vX" (instead of "@hash") for non-GitHub steps below. | |
| # Usually you would use "@hash" as a security measure to pin a specific version. However, since we run with | |
| # minimal permissions here, malicious code can't do much harm (most likely). For more details, see: | |
| # https://blog.gitguardian.com/github-actions-security-cheat-sheet/#use-specific-action-version-tags | |
| permissions: | |
| contents: read | |
| env: | |
| DOTNET_VERSION: '7.0' | |
| # NOTE: Jobs run in parallel by default. | |
| # https://docs.github.com/en/actions/using-jobs/using-jobs-in-a-workflow | |
| jobs: | |
| analyze: | |
| # Name of the job | |
| name: Analyze | |
| # Set the type of machine to run on | |
| # See: https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idruns-on | |
| runs-on: ubuntu-latest | |
| permissions: | |
| actions: read | |
| security-events: write | |
| steps: | |
| ########################################################################### | |
| # | |
| # Setup Steps | |
| # | |
| ########################################################################### | |
| # See: https://github.com/marketplace/actions/checkout | |
| - name: Clone Git repository | |
| uses: actions/checkout@v4 | |
| with: | |
| lfs: true | |
| submodules: true | |
| # Initializes the CodeQL tools for scanning. | |
| # See: https://github.com/github/codeql-action | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/init@v3 | |
| with: | |
| languages: csharp | |
| # See: https://github.com/marketplace/actions/setup-net-core-sdk | |
| - name: Setup .NET build environment | |
| uses: actions/setup-dotnet@v4 | |
| with: | |
| # NOTE: Apparently only the 3rd component can be "x"; i.e. "5.x" is not supported. | |
| dotnet-version: '${{ env.DOTNET_VERSION }}.x' | |
| ########################################################################### | |
| # | |
| # Build Steps | |
| # | |
| ########################################################################### | |
| # See: https://docs.microsoft.com/de-de/dotnet/core/tools/dotnet-build | |
| # NOTE: Without specifying a solution file, "dotnet build" searches for a .sln file in the current directory. | |
| - name: Build code | |
| run: dotnet build --configuration CodeQL_Release | |
| # See: https://github.com/github/codeql-action | |
| - name: Perform CodeQL Analysis | |
| uses: github/codeql-action/analyze@v3 |