name: "Static code analysis" on: push: branches: [master] pull_request: branches: [master] schedule: # Everyday at midnight - cron: '0 0 * * *' jobs: codeql: runs-on: ubuntu-latest permissions: security-events: write steps: - name: Checkout repository uses: actions/checkout@v2 - name: Install dependencies id: dependencies uses: ./.github/actions/install-dependencies - name: Initialize CodeQL uses: github/codeql-action/init@v2 with: languages: cpp queries: +security-and-quality - name: Configure shadow-utils run: ./autogen.sh --without-selinux --disable-man - name: Build shadow-utils run: | PROCESSORS=$(/usr/bin/getconf _NPROCESSORS_ONLN) make -j$PROCESSORS - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v2 differential-shellcheck: if: github.event_name == 'pull_request' runs-on: ubuntu-latest permissions: contents: read security-events: write pull-requests: write steps: - name: Checkout repository uses: actions/checkout@v3 with: fetch-depth: 0 # Doc: https://github.com/redhat-plumbers-in-action/differential-shellcheck#usage - name: Differential ShellCheck uses: redhat-plumbers-in-action/differential-shellcheck@v3 with: severity: warning token: ${{ secrets.GITHUB_TOKEN }}