From a0e715c09355ff0fbf53392902f28bcbdfeb1fb8 Mon Sep 17 00:00:00 2001
From: Bart Smykla <bartek@smykla.com>
Date: Fri, 10 Jan 2025 14:02:32 +0100
Subject: [PATCH] ci(gha): update codeql workflow to set checks during
 scheduled runs (#12506)

## Motivation

Addressing security alert

## Implementation information

Updated CodeQL GitHub Actions workflow to set the `CodeQL` check on the commit being analyzed during scheduled runs, ensuring some commits are marked as having SAST runs by Scorecard

---------

Signed-off-by: Bart Smykla <bartek@smykla.com>
---
 .github/workflows/codeql.yaml | 17 +++++++++++------
 1 file changed, 11 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml
index 234edeb13705..03a11d1fe6e6 100644
--- a/.github/workflows/codeql.yaml
+++ b/.github/workflows/codeql.yaml
@@ -1,16 +1,18 @@
 name: "CodeQL"
+
 on:
-  workflow_dispatch: {}
   schedule:
     - cron: '35 3 * * *' # Runs daily at 3:35 AM UTC
-permissions:
-  contents: read
+  workflow_dispatch: {}
+
+permissions: {}
+
 jobs:
   analyze:
-    timeout-minutes: 30
-    name: Analyze
     runs-on: ubuntu-24.04
+    timeout-minutes: 30
     permissions:
+      contents: read
       actions: read
       security-events: write
     strategy:
@@ -18,7 +20,8 @@ jobs:
       matrix:
         language: ['go']
     steps:
-      - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
+      - id: checkout
+        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
       - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
         with:
           go-version-file: go.mod
@@ -32,4 +35,6 @@ jobs:
       - name: Perform CodeQL Analysis
         uses: github/codeql-action/analyze@df409f7d9260372bd5f19e5b04e83cb3c43714ae # v3.27.9
         with:
+          ref: ${{ steps.checkout.outputs.ref }}
+          sha: ${{ steps.checkout.outputs.commit }}
           category: "/language:${{matrix.language}}"