name: CodeQL on: pull_request: branches: - main - release/* - benchmarks push: branches: - main - release/* - benchmarks schedule: - cron: "29 13 * * 2" # weekly at 13:29 UTC on Tuesday permissions: contents: read jobs: analyze: permissions: contents: read actions: read # for github/codeql-action/init to get workflow details security-events: write # for github/codeql-action/analyze to upload SARIF results runs-on: ubuntu-latest steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Set up Java 17 uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1 with: distribution: temurin java-version: 17 - name: Set up gradle uses: gradle/actions/setup-gradle@06832c7b30a0129d7fb559bcc6e43d26f6374244 # v4.3.1 - name: Initialize CodeQL uses: github/codeql-action/init@45775bd8235c68ba998cffa5171334d58593da47 # v3.28.15 with: languages: java, actions # using "latest" helps to keep up with the latest Kotlin support # see https://github.com/github/codeql-action/issues/1555#issuecomment-1452228433 tools: latest - name: Assemble # --no-build-cache is required for codeql to analyze all modules # --no-daemon is required for codeql to observe the compilation # (see https://docs.github.com/en/code-security/codeql-cli/getting-started-with-the-codeql-cli/preparing-your-code-for-codeql-analysis#specifying-build-commands) run: ./gradlew assemble --no-build-cache --no-daemon - name: Perform CodeQL analysis uses: github/codeql-action/analyze@45775bd8235c68ba998cffa5171334d58593da47 # v3.28.15