IEC81346 #1946

	name: CodeQL Security Analysis

	on:
	push:
	branches: [ "master" ]
	pull_request:
	branches: [ "master" ]
	schedule:
	- cron: '0 2 * * 1' # Weekly Monday 02:00 UTC

	permissions:
	contents: read
	security-events: write
	actions: read

	jobs:
	analyze:
	name: Analyze (Java)
	runs-on: ubuntu-latest
	timeout-minutes: 90
	steps:
	- name: Checkout repository
	uses: actions/checkout@v6

	- name: Setup Java
	uses: actions/setup-java@v5
	with:
	distribution: temurin
	java-version: '11'
	cache: maven

	- name: Initialize CodeQL
	uses: github/codeql-action/init@v4
	with:
	languages: java
	queries: security-extended,security-and-quality
	build-mode: manual

	- name: Build with Maven (no tests)
	run: >
	./mvnw -B -V -e -ntp
	-DskipTests -Dmaven.test.skip=true
	-Dfindbugs.skip=true -Dcheckstyle.skip=true -Dpmd.skip=true -Dspotbugs.skip=true
	-Denforcer.skip=true -Dmaven.javadoc.skip=true -Dlicense.skip=true -Drat.skip=true
	-Dspotless.check.skip=true
	clean package

	- name: Perform CodeQL Analysis
	uses: github/codeql-action/analyze@v4
	with:
	category: "/language:java"
	# GitHub will reject SARIF uploads from "advanced" CodeQL workflows when
	# the repository has CodeQL "default setup" enabled.
	# Either disable default setup in repository settings, or keep this set
	# to false and consume the SARIF as a workflow artifact instead.
	upload: false
	output: codeql-results

	- name: Upload CodeQL SARIF (artifact)
	uses: actions/upload-artifact@v7
	with:
	name: codeql-sarif
	path: codeql-results/*/.sarif
	if-no-files-found: warn

Provide feedback