From 60d04c1dfb09fea203e4a0209a55cbbe86a9b5ef Mon Sep 17 00:00:00 2001
From: Ben Manes <ben.manes@gmail.com>
Date: Thu, 26 Dec 2024 11:56:27 -0800
Subject: [PATCH] use an exhaustive codeql configuration

---
 .github/workflows/codeql.yml | 40 ++++++++++++++++++++++++++----------
 1 file changed, 29 insertions(+), 11 deletions(-)

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index e81a566879..137e024c43 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -4,21 +4,15 @@
 # You may wish to alter this file to override the set of languages analyzed,
 # or to provide custom queries or build logic.
 name: "CodeQL"
-
 on:
   push:
-    branches: [master]
+    branches: [master, v2.dev, v3.dev]
   pull_request:
     # The branches below must be a subset of the branches above
-    branches: [master]
+    branches: [master, v2.dev, v3.dev]
   schedule:
     - cron: '0 0 * * 4'
-
-permissions:
-  actions: read
-  contents: read
-  pull-requests: read
-  security-events: write
+permissions: read-all
 
 env:
   DEVELOCITY_ACCESS_KEY: ${{ secrets.DEVELOCITY_ACCESS_KEY }}
@@ -28,6 +22,15 @@ jobs:
   analyze:
     name: Analyze
     runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      pull-requests: read
+      security-events: write
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ actions, java ]
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
@@ -56,10 +59,25 @@ jobs:
         with:
           java: ${{ env.JAVA_VERSION }}
           cache-encryption-key: ${{ secrets.GRADLE_ENCRYPTION_KEY }}
-      - name: Initialize CodeQL
+      - name: Initialize CodeQL (Actions)
+        uses: github/codeql-action/init@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0
+        if: ${{ matrix.language == 'actions' }}
+        with:
+          languages: actions
+      - name: Initialize CodeQL (Java)
         uses: github/codeql-action/init@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0
+        if: ${{ matrix.language == 'java' }}
         with:
-          languages: java
+          queries: +security-and-quality,security-extended,security-experimental
+          languages: java-kotlin
+          packs: >
+            +codeql/java-queries:.
+            githubsecuritylab/codeql-java-queries,
+            githubsecuritylab/codeql-java-extensions,
+            githubsecuritylab/codeql-java-library-sources,
+            githubsecuritylab/codeql-java-queries:suites/java-local.qls
+          config: |
+            threat-models: local
       - name: Autobuild
         uses: github/codeql-action/autobuild@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0
       - name: Perform CodeQL Analysis