1 files changed, 89 insertions, 29 deletions

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 09d9135fa0..69f38f3f48 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -1,61 +1,121 @@
-name: "Code scanning - action"
+name: 'CodeQL'
 
 on:
   push:
+    branches: ['master']
     paths-ignore:
       - 'doc/**'
+      - '**/man/*'
       - '**.md'
       - '**.rdoc'
+      - '**/.document'
+      - '.*.yml'
   pull_request:
     paths-ignore:
       - 'doc/**'
+      - '**/man/*'
       - '**.md'
       - '**.rdoc'
+      - '**/.document'
+      - '.*.yml'
   schedule:
-    - cron: '0 12 * * 4'
+    - cron: '0 12 * * *'
+  workflow_dispatch:
 
 concurrency:
   group: ${{ github.workflow }} / ${{ startsWith(github.event_name, 'pull') && github.ref_name || github.sha }}
   cancel-in-progress: ${{ startsWith(github.event_name, 'pull') }}
 
-jobs:
-  CodeQL-Build:
+permissions: # added using https://github.com/step-security/secure-workflows
+  contents: read
 
-    # CodeQL runs on ubuntu-latest and windows-latest
+jobs:
+  analyze:
+    name: Analyze
     runs-on: ubuntu-latest
-    if: ${{ !startsWith(github.event.head_commit.message, '[DOC]') && !contains(github.event.pull_request.labels.*.name, 'Documentation') }}
+    permissions:
+      actions: read # for github/codeql-action/init to get workflow details
+      contents: read # for actions/checkout to fetch code
+      security-events: write # for github/codeql-action/autobuild to send a status report
+    # CodeQL fails to run pull requests from dependabot due to missing write access to upload results.
+    if: >-
+      ${{!(false
+      || contains(github.event.head_commit.message, '[DOC]')
+      || contains(github.event.pull_request.title, '[DOC]')
+      || contains(github.event.pull_request.labels.*.name, 'Documentation')
+      || (github.event_name == 'push' && github.event.pull_request.user.login == 'dependabot[bot]')
+      )}}
 
     env:
       enable_install_doc: no
 
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - language: cpp
+          - language: ruby
+
     steps:
-    - name: Install libraries
-      run: |
-        set -x
-        sudo apt-get update -q || :
-        sudo apt-get install --no-install-recommends -q -y build-essential libssl-dev libyaml-dev libreadline6-dev zlib1g-dev libncurses5-dev libffi-dev bison autoconf ruby
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Install libraries
+        if: ${{ contains(matrix.os, 'macos') }}
+        uses: ./.github/actions/setup/macos
+
+      - name: Install libraries
+        if : ${{ matrix.os == 'ubuntu-latest' }}
+        uses: ./.github/actions/setup/ubuntu
 
-    - name: Checkout repository
-      uses: actions/checkout@v3
+      - uses: ./.github/actions/setup/directories
 
-    - uses: actions/cache@v3
-      with:
-        path: .downloaded-cache
-        key: downloaded-cache
+      - name: Remove an obsolete rubygems vendored file
+        if: ${{ matrix.os == 'ubuntu-latest' }}
+        run: sudo rm /usr/lib/ruby/vendor_ruby/rubygems/defaults/operating_system.rb
 
-    - name: Remove an obsolete rubygems vendored file
-      run: sudo rm /usr/lib/ruby/vendor_ruby/rubygems/defaults/operating_system.rb
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@e296a935590eb16afc0c0108289f68c87e2a89a5 # v4.30.7
+        with:
+          languages: ${{ matrix.language }}
+          trap-caching: false
+          debug: true
 
-    - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2
-      with:
-        config-file: ./.github/codeql/codeql-config.yml
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@e296a935590eb16afc0c0108289f68c87e2a89a5 # v4.30.7
 
-    - name: Set ENV
-      run: echo "GNUMAKEFLAGS=-j$((1 + $(nproc --all)))" >> $GITHUB_ENV
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@e296a935590eb16afc0c0108289f68c87e2a89a5 # v4.30.7
+        with:
+          category: '/language:${{ matrix.language }}'
+          upload: False
+          output: sarif-results
 
-    - name: Autobuild
-      uses: github/codeql-action/autobuild@v2
+      - name: filter-sarif
+        uses: advanced-security/filter-sarif@f3b8118a9349d88f7b1c0c488476411145b6270d # v1.0.1
+        with:
+          patterns: |
+            +**/*.rb
+            -lib/uri/mailto.rb:rb/overly-large-range
+            -lib/uri/rfc3986_parser.rb:rb/overly-large-range
+            -lib/bundler/vendor/uri/lib/uri/mailto.rb:rb/overly-large-range
+            -lib/bundler/vendor/uri/lib/uri/rfc3986_parser.rb:rb/overly-large-range
+            -test/ruby/test_io.rb:rb/non-constant-kernel-open
+            -test/open-uri/test_open-uri.rb:rb/non-constant-kernel-open
+            -test/open-uri/test_ssl.rb:rb/non-constant-kernel-open
+            -spec/ruby/core/io/binread_spec.rb:rb/non-constant-kernel-open
+            -spec/ruby/core/io/readlines_spec.rb:rb/non-constant-kernel-open
+            -spec/ruby/core/io/foreach_spec.rb:rb/non-constant-kernel-open
+            -spec/ruby/core/io/write_spec.rb:rb/non-constant-kernel-open
+            -spec/ruby/core/io/read_spec.rb:rb/non-constant-kernel-open
+            -spec/ruby/core/kernel/open_spec.rb:rb/non-constant-kernel-open
+          input: sarif-results/${{ matrix.language }}.sarif
+          output: sarif-results/${{ matrix.language }}.sarif
+        if: ${{ matrix.language == 'ruby' }}
+        continue-on-error: true
 
-    - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2
+      - name: Upload SARIF
+        uses: github/codeql-action/upload-sarif@e296a935590eb16afc0c0108289f68c87e2a89a5 # v4.30.7
+        with:
+          sarif_file: sarif-results/${{ matrix.language }}.sarif
+        continue-on-error: true