Files
systemd/.github/workflows/codeql.yml
dependabot[bot] 4afd7808fe build(deps): bump the actions group across 1 directory with 9 updates
Bumps the actions group with 9 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [actions/checkout](https://github.com/actions/checkout) | `4.2.2` | `6.0.2` |
| [actions/setup-python](https://github.com/actions/setup-python) | `5.6.0` | `6.2.0` |
| [actions/upload-artifact](https://github.com/actions/upload-artifact) | `4` | `6` |
| [github/codeql-action](https://github.com/github/codeql-action) | `3.29.7` | `4.32.0` |
| [redhat-plumbers-in-action/differential-shellcheck](https://github.com/redhat-plumbers-in-action/differential-shellcheck) | `5.5.3` | `5.5.6` |
| [redhat-plumbers-in-action/gather-pull-request-metadata](https://github.com/redhat-plumbers-in-action/gather-pull-request-metadata) | `1.8.1` | `1.9.0` |
| [redhat-plumbers-in-action/advanced-issue-labeler](https://github.com/redhat-plumbers-in-action/advanced-issue-labeler) | `3.2.3` | `3.2.4` |
| [actions/github-script](https://github.com/actions/github-script) | `7.0.1` | `8.0.0` |
| [super-linter/super-linter](https://github.com/super-linter/super-linter) | `8.3.0` | `8.3.2` |



Updates `actions/checkout` from 4.2.2 to 6.0.2
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](11bd71901b...de0fac2e45)

Updates `actions/setup-python` from 5.6.0 to 6.2.0
- [Release notes](https://github.com/actions/setup-python/releases)
- [Commits](a26af69be9...a309ff8b42)

Updates `actions/upload-artifact` from 4 to 6
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](https://github.com/actions/upload-artifact/compare/v4...v6)

Updates `github/codeql-action` from 3.29.7 to 4.32.0
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](51f77329af...b20883b0cd)

Updates `redhat-plumbers-in-action/differential-shellcheck` from 5.5.3 to 5.5.6
- [Release notes](https://github.com/redhat-plumbers-in-action/differential-shellcheck/releases)
- [Changelog](https://github.com/redhat-plumbers-in-action/differential-shellcheck/blob/main/docs/CHANGELOG.md)
- [Commits](dd551ce780...d965e66ec0)

Updates `redhat-plumbers-in-action/gather-pull-request-metadata` from 1.8.1 to 1.9.0
- [Release notes](https://github.com/redhat-plumbers-in-action/gather-pull-request-metadata/releases)
- [Commits](b3dbc3f843...b86d1eaf70)

Updates `redhat-plumbers-in-action/advanced-issue-labeler` from 3.2.3 to 3.2.4
- [Release notes](https://github.com/redhat-plumbers-in-action/advanced-issue-labeler/releases)
- [Commits](e38e6809c5...b80ae64e3e)

Updates `actions/github-script` from 7.0.1 to 8.0.0
- [Release notes](https://github.com/actions/github-script/releases)
- [Commits](60a0d83039...ed597411d8)

Updates `super-linter/super-linter` from 8.3.0 to 8.3.2
- [Release notes](https://github.com/super-linter/super-linter/releases)
- [Changelog](https://github.com/super-linter/super-linter/blob/main/CHANGELOG.md)
- [Commits](502f4fe48a...d5b0a2ab11)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: actions
- dependency-name: actions/setup-python
  dependency-version: 6.2.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: actions
- dependency-name: actions/upload-artifact
  dependency-version: '6'
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: actions
- dependency-name: github/codeql-action
  dependency-version: 4.32.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: actions
- dependency-name: redhat-plumbers-in-action/differential-shellcheck
  dependency-version: 5.5.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: actions
- dependency-name: redhat-plumbers-in-action/gather-pull-request-metadata
  dependency-version: 1.9.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: actions
- dependency-name: redhat-plumbers-in-action/advanced-issue-labeler
  dependency-version: 3.2.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: actions
- dependency-name: actions/github-script
  dependency-version: 8.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: actions
- dependency-name: super-linter/super-linter
  dependency-version: 8.3.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: actions
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-01-28 16:27:11 +09:00

67 lines
1.7 KiB
YAML

---
# vi: ts=2 sw=2 et:
# SPDX-License-Identifier: LGPL-2.1-or-later
#
name: "CodeQL"
on:
pull_request:
branches:
- main
- v[0-9]+-stable
paths:
- '**/meson.build'
- '.github/**/codeql*'
- 'src/**'
- 'test/**'
- 'tools/**'
push:
branches:
- main
- v[0-9]+-stable
permissions:
contents: read
jobs:
analyze:
name: Analyze
if: github.repository != 'systemd/systemd-security'
runs-on: ubuntu-24.04
concurrency:
group: ${{ github.workflow }}-${{ matrix.language }}-${{ github.ref }}
cancel-in-progress: true
permissions:
actions: read
security-events: write
strategy:
fail-fast: false
matrix:
language: ['cpp', 'python']
steps:
- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
- name: Initialize CodeQL
uses: github/codeql-action/init@b20883b0cd1f46c72ae0ba6d1090936928f9fa30
with:
languages: ${{ matrix.language }}
config-file: ./.github/codeql-config.yml
- run: |
sudo -E .github/workflows/unit-tests.sh SETUP
# TODO: drop after we switch to ubuntu 26.04
bpftool_binary=$(find /usr/lib/linux-tools/ /usr/lib/linux-tools-* -name 'bpftool' -perm /u=x 2>/dev/null | sort -r | head -n1)
if [ -n "$bpftool_binary" ]; then
sudo rm -f /usr/{bin,sbin}/bpftool
sudo ln -s "$bpftool_binary" /usr/bin/
fi
- name: Autobuild
uses: github/codeql-action/autobuild@b20883b0cd1f46c72ae0ba6d1090936928f9fa30
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@b20883b0cd1f46c72ae0ba6d1090936928f9fa30