action.yml

name: Workflow Scan Action
author: "rcowsill"
description: Scan GitHub Actions workflow files with CodeQL

inputs:
  extra-queries:
    description: Comma-separated list of additional queries to run
    default: ""
  use-default-queries:
    description: Whether to use the default workflow-security-suite queries
    default: true
  upload:
    description: Whether to upload the SARIF file to Code Scanning
    default: true
  data-dir-name:
    description: Name of the directory which will hold data needed by the action
    default: workflow-scan-action-data

runs:
  using: composite
  steps:
    - name: Configure CodeQL for workflow security scanning
      run: . "$GITHUB_ACTION_PATH/setup.sh"
      shell: bash
      env:
        DATA_DIR_NAME: ${{ inputs.data-dir-name }}
        EXTRA_QUERIES: ${{ inputs.extra-queries }}
        USE_DEFAULT_QUERIES: ${{ inputs.use-default-queries }}

    - uses: github/codeql-action/init@v3
      with:
        config-file: ${{ env.WSA_CONFIG_PATH }}
        queries: ${{ env.WSA_QUERIES }}
        languages: javascript

    - uses: github/codeql-action/analyze@v3
      with:
        upload: ${{ inputs.upload }}

branding:
  icon: search
  color: gray-dark