diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 0000000000..90e93c1cf2 --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,47 @@ +name: CodeQL + +on: + push: + branches: + - main + - release/* + +permissions: + actions: read + contents: read + security-events: write + +jobs: + analyze: + name: Analyze (${{ matrix.language }}) + runs-on: ${{ matrix.os }} + timeout-minutes: 360 + + strategy: + fail-fast: false + matrix: + include: + - language: csharp + build-mode: none + os: windows-latest + - language: javascript-typescript + build-mode: none + os: ubuntu-latest + - language: python + build-mode: none + os: ubuntu-latest + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: ${{ matrix.language }} + build-mode: ${{ matrix.build-mode }} + + - name: Perform CodeQL analysis + uses: github/codeql-action/analyze@v3 + with: + category: "/language:${{ matrix.language }}" diff --git a/azure-pipelines-compliance.yml b/azure-pipelines-compliance.yml index 4ce2576cf0..c8adc44f31 100644 --- a/azure-pipelines-compliance.yml +++ b/azure-pipelines-compliance.yml @@ -18,7 +18,7 @@ name: $(date:yy)$(DayOfYear)$(rev:.r) trigger: none pr: none -# Trigger builds on a nightly schedule, as long as there are changes +# Trigger builds on a nightly schedule so compliance scans stay current. # Ignore the azure-pipelines.yml, since that's a different pipeline # All times are in UTC, so 8AM = Midnight PST schedules: @@ -27,6 +27,7 @@ schedules: branches: include: - main + always: true jobs: