PHP 8.2 + Nextcloud 32 modernization, tests, REUSE compliance, OSS CI hardening #2
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # SPDX-FileCopyrightText: 2026 Inter Fonts App Contributors | |
| # SPDX-License-Identifier: AGPL-3.0-or-later | |
| # | |
| # .github/workflows/codeql.yml | |
| # | |
| # CodeQL static analysis. CodeQL has no PHP analyser at the time of writing | |
| # (https://docs.github.com/en/code-security/codeql-cli/getting-started-with-the-codeql-cli/supported-languages-and-frameworks), | |
| # so we run it only against `actions` — its workflow query pack catches | |
| # untrusted-input expression injection (`${{ github.event.* }}` flowing | |
| # into a `run:` block) and other workflow-specific security defects. | |
| # Re-add `php` to the matrix the moment GitHub ships PHP support. | |
| # | |
| # Findings appear in the repo's "Security → Code scanning" tab and are | |
| # also surfaced as PR review comments on the offending lines. | |
| name: CodeQL | |
| on: | |
| push: | |
| branches: [main] | |
| pull_request: | |
| branches: [main] | |
| schedule: | |
| # Weekly re-scan picks up new query packs from GitHub without waiting | |
| # for the next push. | |
| - cron: "0 4 * * 1" | |
| permissions: | |
| contents: read | |
| security-events: write | |
| actions: read | |
| jobs: | |
| analyze: | |
| name: Analyze (${{ matrix.language }}) | |
| runs-on: ubuntu-latest | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| language: [actions] | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v6 | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/init@v3 | |
| with: | |
| languages: ${{ matrix.language }} | |
| build-mode: none | |
| queries: security-and-quality | |
| - name: Perform CodeQL Analysis | |
| uses: github/codeql-action/analyze@v3 | |
| with: | |
| category: "/language:${{ matrix.language }}" |