ci(github): update workflows

pivoshenko · Nov 16, 2022 · 84fe21d · 84fe21d
1 parent 31a7d0a
commit 84fe21d
Show file tree

Hide file tree

Showing 2 changed files with 54 additions and 21 deletions.
diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml
@@ -8,12 +8,10 @@ name: CodeQL
 
 on:
   push:
-    branches:
-      - main
+    branches: [ "main" ]
 
   pull_request:
-    branches:
-      - main
+    branches: [ "main" ]
 
 jobs:
   analyze:
@@ -23,21 +21,29 @@ jobs:
       actions: read
       contents: read
       security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'python' ]
+
     steps:
-      - name: Checkout repository
-        id: checkout-repository
-        uses: actions/checkout@v3
-
-      - name: Initialize CodeQL
-        id: initialize-codeql
-        uses: github/codeql-action/init@v2
-        with:
-          languages: python
-
-      - name: Autobuild
-        id: autobuild
-        uses: github/codeql-action/autobuild@v2
-
-      - name: Perform CodeQL analysis
-        id: perform-codeql-analysis
-        uses: github/codeql-action/analyze@v2
+    - name: Checkout repository
+      id: checkout-repository
+      uses: actions/checkout@v3
+
+    - name: Initialize CodeQL
+      id: initialize-codeql
+      uses: github/codeql-action/init@v2
+      with:
+        languages: ${{ matrix.language }}
+
+    - name: Autobuild
+      id: autobuild
+      uses: github/codeql-action/autobuild@v2
+
+    - name: Perform CodeQL analysis
+      id: perform-codeql-analysis
+      uses: github/codeql-action/analyze@v2
+      with:
+        category: "/language:${{matrix.language}}"
diff --git a/.github/workflows/dependency-review.yaml b/.github/workflows/dependency-review.yaml
@@ -0,0 +1,27 @@
+# Dependency Review Action
+#
+# This Action will scan dependency manifest files that change as part of a Pull Request, surfacing known-vulnerable versions of the packages declared or updated in the PR. Once installed, if the workflow run is marked as required, PRs introducing known-vulnerable packages will be blocked from merging.
+#
+# Source repository: /~https://github.com/actions/dependency-review-action
+# Public documentation: https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#dependency-review-enforcement
+
+name: Dependency Review
+
+on:
+  pull_request:
+    branches: [ "main" ]
+
+permissions:
+  contents: read
+
+jobs:
+  dependency-review:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        id: checkout-repository
+        uses: actions/checkout@v3
+
+      - name: Dependency review
+        id: dependency-review
+        uses: actions/dependency-review-action@v2