security-codeql.yml

---
name: Security CodeQL

on:
  schedule:
    - cron: 0 3 * * *

permissions:
  security-events: write
  actions: read
  contents: read

jobs:
  codeql:
    if: ${{ ! github.event.repository.private }}
    runs-on: ubuntu-latest
    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
        with:
          disable-sudo: true
          egress-policy: block
          allowed-endpoints: >
            api.github.com:443
            files.pythonhosted.org:443
            github.com:443
            pypi.org:443
      - name: Checkout repository
        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
      - name: Setup Dependencies
        uses: ./.github/actions/setup-poetry
      - name: Initialize CodeQL
        uses: github/codeql-action/init@c36620d31ac7c881962c3d9dd939c40ec9434f2b # v3.26.12
        with:
          languages: python
          setup-python-dependencies: false
      - name: Perform CodeQL Analysis
        uses: github/codeql-action/analyze@563627499baf8d9e7b90a56ba0e1c42113d43fb9 # # tag=v2.1.21