zeroclaw/.github/workflows/sec-codeql.yml

name: Sec CodeQL

on:
    schedule:
        - cron: "0 6 * * 1" # Weekly Monday 6am UTC
    workflow_dispatch:

concurrency:
    group: codeql-${{ github.ref }}
    cancel-in-progress: true

permissions:
    contents: read
    security-events: write
    actions: read

jobs:
    codeql:
        name: CodeQL Analysis
        runs-on: blacksmith-2vcpu-ubuntu-2404
        timeout-minutes: 30
        steps:
            - name: Checkout repository
              uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4

            - name: Initialize CodeQL
              uses: github/codeql-action/init@9e907b5e64f6b83e7804b09294d44122997950d6 # v4
              with:
                  languages: rust
                  config-file: ./.github/codeql/codeql-config.yml

            - name: Set up Rust
              uses: dtolnay/rust-toolchain@631a55b12751854ce901bb631d5902ceb48146f7 # stable

            - name: Build
              run: cargo build --workspace --all-targets

            - name: Perform CodeQL Analysis
              uses: github/codeql-action/analyze@9e907b5e64f6b83e7804b09294d44122997950d6 # v4