security-codeql.yml

---
name: Security CodeQL

on:
  schedule:
    - cron: 0 3 * * *

permissions:
  security-events: write
  actions: read
  contents: read

jobs:
  codeql:
    if: ${{ ! github.event.repository.private }}
    runs-on: ubuntu-latest
    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
        with:
          disable-sudo: true
          egress-policy: block
          allowed-endpoints: >
            api.github.com:443
            files.pythonhosted.org:443
            github.com:443
            pypi.org:443
      - name: Checkout repository
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Setup Dependencies
        uses: ./.github/actions/setup-poetry
      - name: Initialize CodeQL
        uses: github/codeql-action/init@dd196fa9ce80b6bacc74ca1c32bd5b0ba22efca7 # v3.28.3
        with:
          languages: python
          setup-python-dependencies: false
      - name: Perform CodeQL Analysis
        uses: github/codeql-action/analyze@f89b8a7d5239ba6d1a0f243ead94ea9ca5775ae1 # # tag=v2.1.21