name: CodeQL analysis

# **What it does**: This runs CodeQL on our repository.
# **Why we have it**: Security scanning.
# **Who does it impact**: Docs engineering.

on:
  push:
    branches:
      - main
  pull_request:
    branches:
      - main
    paths:
      - '**/*.js'
      - '.github/workflows/codeql.yml'

permissions:
  actions: read
  contents: read
  security-events: write

# This allows a subsequently queued workflow run to interrupt previous runs
concurrency:
  group: '${{ github.workflow }} @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}'
  cancel-in-progress: true

jobs:
  build:
    if: github.repository == 'github/docs-internal' || github.repository == 'github/docs'
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579
      - uses: github/codeql-action/init@1a927e9307bc11970b2c679922ebc4d03a5bd980
        with:
          languages: javascript # comma separated list of values from {go, python, javascript, java, cpp, csharp} (not YET ruby, sorry!)
      - uses: github/codeql-action/analyze@1a927e9307bc11970b2c679922ebc4d03a5bd980
        continue-on-error: true