Skip to content
.github/workflows/codeql.yml

Merge pull request #1278 from kingbitnation/test/1226-optimistic-roll… #236

Sign in to view logs

Merge pull request #1278 from kingbitnation/test/1226-optimistic-roll…

Merge pull request #1278 from kingbitnation/test/1226-optimistic-roll… #236

Workflow file for this run

.github/workflows/codeql.yml at c232bbb
name: CodeQL
# Static security analysis for:
# - backend/ and frontend/ (JavaScript/TypeScript)
# - contracts/ (Rust/Soroban smart contracts)
# Complements the supply-chain-audit job in ci.yml by catching SQL injection,
# prototype pollution, XSS, path traversal, and ReDoS before they ship.
on:
push:
branches: [main]
pull_request:
branches: [main]
schedule:
# Weekly, Monday 06:00 UTC — catches newly-published query updates.
- cron: "0 6 * * 1"
jobs:
analyze:

Check failure on line 19 in .github/workflows/codeql.yml

View workflow run for this annotation

GitHub Actions / .github/workflows/codeql.yml

Invalid workflow file 

You have an error in your yaml syntax on line 19
name: Analyze (${{ matrix.language }})
runs-on: ubuntu-latest
permissions:
security-events: write
contents: read
actions: read
strategy:
fail-fast: false
matrix:
language:
- javascript-typescript
- rust
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: ${{ matrix.language }}
queries: security-and-quality
# JS/TS needs no compilation; autobuild is a no-op safeguard.
- name: Autobuild JS/TS
if: matrix.language == 'javascript-typescript'
uses: github/codeql-action/autobuild@v3
- name: Install Rust toolchain
if: matrix.language == 'rust'
uses: dtolnay/rust-toolchain@stable
with:
targets: wasm32-unknown-unknown
- name: Build Soroban contracts workspace
if: matrix.language == 'rust'
working-directory: contracts
run: cargo build --workspace --target wasm32-unknown-unknown
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
with:
category: "/language:${{ matrix.language }}"