# This workflow uses actions that are not certified by GitHub. # They are provided by a third-party and are governed by # separate terms of service, privacy policy, and support # documentation. # Credo is a static code analysis tool for the Elixir language with a focus on teaching and code consistency. # https://github.com/rrrene/credo # # To use this workflow, you must have GitHub Advanced Security (GHAS) enabled for your repository. # # Instructions: # 1. Add :credo as a dependency to your project's mix.exs with version ~> 1.7.0-rc.1 - https://github.com/rrrene/credo#installation-and-usage # 2. Follow the annotated workflow below and make any necessary modifications then save the workflow to your repository # and review the "Security" tab once the action has run. name: Credo on: push: branches: [ $default-branch, $protected-branches ] pull_request: # The branches below must be a subset of the branches above branches: [ $default-branch ] schedule: - cron: $cron-weekly permissions: contents: read jobs: security-scan: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest strategy: fail-fast: false matrix: otp: [version] elixir: [version] steps: - uses: actions/checkout@v4 - uses: erlef/setup-beam@988e02bfe678367a02564f65ca2e37726dc0268f with: otp-version: ${{matrix.otp}} elixir-version: ${{matrix.elixir}} - name: get dependencies run: mix deps.get - name: compile dependencies run: mix deps.compile - name: compile run: mix compile - name: credo-scan run: mix credo --format=sarif > credo_output.sarif - name: upload sarif uses: github/codeql-action/upload-sarif@v3 with: # Path to SARIF file relative to the root of the repository sarif_file: credo_output.sarif