sast

Bump the github-actions group with 2 updates #1339

	---
	name: "sast"

	on:
	pull_request:
	branches:
	- "main"
	push:
	branches:
	- "main"
	schedule:
	- cron: "19 19 * * 4"

	permissions: "read-all"

	jobs:
	ossf:
	runs-on: "ubuntu-latest"
	# ossf scorecard only supported on main branch
	if: github.event_name != 'pull_request'
	permissions:
	security-events: "write"
	id-token: "write"
	contents: "read"
	actions: "read"
	steps:
	- uses: "actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683"
	with:
	persist-credentials: false
	- uses: "ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46"
	with:
	results_file: "results.sarif"
	results_format: "sarif"
	publish_results: true
	- uses: "actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08"
	with:
	name: "SARIF file"
	path: "results.sarif"
	retention-days: 5
	- uses: "github/codeql-action/upload-sarif@f6091c0113d1dcf9b98e269ee48e8a7e51b7bdd4"
	with:
	sarif_file: "results.sarif"

	codeql:
	runs-on: "ubuntu-latest"

	permissions:
	actions: read
	contents: read
	security-events: write

	steps:
	- uses: "actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683"
	- uses: "github/codeql-action/init@f6091c0113d1dcf9b98e269ee48e8a7e51b7bdd4"
	with:
	languages: "typescript"
	- uses: "pnpm/action-setup@fe02b34f77f8bc703788d5817da081398fad5dd2"
	with:
	version: "latest"
	- uses: "actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a"
	with:
	node-version-file: ".nvmrc"
	cache: "pnpm"
	- run: "make install"
	- uses: "github/codeql-action/analyze@f6091c0113d1dcf9b98e269ee48e8a7e51b7bdd4"

Provide feedback