codeql-analysis.yml

name: CodeQL

on:
  push:
    branches:
      - main
  pull_request:
    branches:
      - main

  schedule:
    - cron: '0 11 * * *'
      #      | | | | |
      #      | | | | |____ day of the week (0 - 6 or SUN-SAT)
      #      | | | |____ month (1 - 12 or JAN-DEC)
      #      | | |____ day of the month (1 - 31)
      #      | |____ hour (0 - 23)
      #      |____ minute (0 - 59)

jobs:
  analyze:
    name: Analyze
    runs-on: ubuntu-latest

    # The maximum number of minutes to let a workflow run
    # before GitHub automatically cancels it. Default: 360
    timeout-minutes: 30

    strategy:
      # When set to true, GitHub cancels
      # all in-progress jobs if any matrix job fails.
      fail-fast: false

      matrix:
        language:
          - javascript

    permissions:
      # required for all workflows
      security-events: write

    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Initialize CodeQL
        uses: github/codeql-action/init@v3
        with:
          languages: ${{ matrix.language }}

      - name: Autobuild
        uses: github/codeql-action/autobuild@v3

      - name: Setup Hugo
        uses: peaceiris/actions-hugo@v3
        with:
          hugo-version: '0.121.0'
          extended: true

      - name: Set up Node 20.x
        uses: actions/setup-node@v4
        with:
          node-version: '20.x'
          cache: 'npm'
          cache-dependency-path: '**/package-lock.json'

      - name: Install a project with a clean slate
        run: npm ci --ignore-scripts

      - name: Build site
        run: npm run build

      - name: Audit packages
        run: npm audit --audit-level=high

      - name: Perform CodeQL Analysis
        uses: github/codeql-action/analyze@v3