CI: Enable CodeQL

I've gone for doing this manually rather than through the GitHub UI. This is because when I enabled in the UI just now, there were some results in the generated code `actions/lint-pr-title/dist/index.js`, and these are better identified by security alerts on the dependencies, if there is an actual issue. We want to use CodeQL to find our own issues.
grafana · Jun 12, 2024 · cbbe78d · cbbe78d
1 parent 4ba1788
commit cbbe78d
Showing 1 changed file with 55 additions and 0 deletions.
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -0,0 +1,55 @@
+name: "CodeQL"
+
+on:
+  push:
+    branches:
+      - "main"
+
+  pull_request:
+    branches:
+      - "main"
+
+  schedule:
+    - cron: "21 5 * * 3"
+
+  # To trigger a CodeQL analysis manually
+  workflow_dispatch:
+
+jobs:
+  analyze:
+    name: Analyze (${{ matrix.language }})
+    runs-on: ubuntu-latest-8-core
+    timeout-minutes: 360
+    permissions:
+      security-events: write
+
+      # required to fetch internal or private CodeQL packs
+      packages: read
+
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - language: go
+            build-mode: autobuild
+          - language: javascript-typescript
+            build-mode: none
+            paths-ignore:
+              - **/dist/**
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@9550da953dd3b29aedf76cd635101e48eae5eebd # v3.25.9
+        with:
+          languages: ${{ matrix.language }}
+          build-mode: ${{ matrix.build-mode }}
+          config: |
+            paths-ignore: ${{ matrix.paths-ignore }}
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@9550da953dd3b29aedf76cd635101e48eae5eebd # v3.25.9
+        with:
+          category: "/language:${{matrix.language}}"