name: Static Analysis on: push: branches-ignore: - 'translations**' pull_request: branches-ignore: - 'translations**' workflow_dispatch: concurrency: group: static-analysis-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: true permissions: contents: read jobs: zizmor: name: Run zizmor runs-on: ubuntu-24.04 permissions: contents: read actions: read security-events: write steps: - name: Checkout uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: false - name: Run zizmor uses: zizmorcore/zizmor-action@192e21d79ab29983730a13d1382995c2307fbcaa # v0.5.7 semgrep: name: Semgrep CE runs-on: ubuntu-24.04 container: image: semgrep/semgrep:1.155.0@sha256:cc869c685dcc0fe497c86258da9f205397d8108e56d21a86082ea4886e52784d if: github.actor != 'dependabot[bot]' permissions: contents: read security-events: write steps: - name: Checkout uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: false - name: Run Semgrep run: semgrep scan --config auto --sarif-output results.sarif - name: Upload results to GitHub code scanning uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2 if: always() with: sarif_file: results.sarif