feat: Turborepo remote caching for all CI steps #5
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CodeQL Security Scan | |
| on: | |
| pull_request: | |
| branches: [main, develop] | |
| schedule: | |
| - cron: "0 3 * * 1" # weekly on Monday at 03:00 UTC | |
| push: | |
| branches: [main] | |
| jobs: | |
| analyze: | |
| name: Analyze (${{ matrix.language }}) | |
| runs-on: ubuntu-latest | |
| permissions: | |
| security-events: write | |
| actions: read | |
| contents: read | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| language: [javascript-typescript, rust] | |
| include: | |
| - language: javascript-typescript | |
| build-mode: none | |
| - language: rust | |
| build-mode: manual | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/init@v3 | |
| with: | |
| languages: ${{ matrix.language }} | |
| # security-and-quality includes checks for SQL injection (CWE-089) | |
| queries: security-and-quality | |
| # Rust requires an explicit build so CodeQL can trace it | |
| - name: Install Rust toolchain | |
| if: matrix.language == 'rust' | |
| uses: dtolnay/rust-toolchain@stable | |
| with: | |
| targets: wasm32-unknown-unknown | |
| - name: Build Rust contracts | |
| if: matrix.language == 'rust' | |
| run: cargo build --manifest-path apps/contracts/Cargo.toml | |
| - name: Perform CodeQL Analysis | |
| uses: github/codeql-action/analyze@v3 | |
| with: | |
| category: ${{ matrix.language }} |