From 36334166727677e0667f785430a4ee75be9d3eb8 Mon Sep 17 00:00:00 2001 From: Will Sarg <12886992+willsarg@users.noreply.github.com> Date: Mon, 16 Feb 2026 23:22:54 -0500 Subject: [PATCH] Standardize security workflow and enhance with CodeQL analysis (#472) * fix(workflows): standardize runner configuration for security jobs * ci(actionlint): add Blacksmith runner label to config Add blacksmith-2vcpu-ubuntu-2404 to actionlint self-hosted-runner labels config to suppress "unknown label" warnings during workflow linting. This label is used across all workflows after the Blacksmith migration. * Merge branch 'main' into devsecops * fix(actionlint): adjust indentation for self-hosted runner labels * Merge branch 'main' into devsecops * feat(security): enhance security workflow with CodeQL analysis steps * Merge branch 'main' into devsecops --- .github/workflows/security.yml | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index 58ac9b2..30f0560 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -14,6 +14,8 @@ concurrency: permissions: contents: read + security-events: write + actions: read env: CARGO_TERM_COLOR: always @@ -45,3 +47,25 @@ jobs: - uses: EmbarkStudios/cargo-deny-action@3fd3802e88374d3fe9159b834c7714ec57d6c979 # v2 with: command: check advisories licenses sources + + codeql: + name: CodeQL Analysis + runs-on: blacksmith-2vcpu-ubuntu-2404 + timeout-minutes: 30 + steps: + - name: Checkout repository + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: rust + + - name: Set up Rust + uses: dtolnay/rust-toolchain@stable + + - name: Build + run: cargo build --workspace --all-targets + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v3