chore(workflow): split codeql into its own job

erisu · erisu · commit 57b1d5a9f6b1 · 2026-06-05T15:43:03.000+09:00
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -25,20 +25,54 @@ on:
     branches:
       - '*'
 
-permissions:
-  contents: read
-  security-events: write
-
 jobs:
+  codeql:
+    name: CodeQL Analysis
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+      security-events: write
+
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+          fetch-depth: 1
+
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
+        with:
+          node-version: 24.x
+
+      - uses: github/codeql-action/init@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4.35.5
+        with:
+          languages: javascript
+          queries: security-and-quality
+          config: |
+            paths-ignore:
+              - coverage
+              - node_modules
+
+      - name: Run npm install
+        run: npm ci
+        env:
+          CI: true
+
+      - uses: github/codeql-action/analyze@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4.35.5
+
   test:
     name: NodeJS ${{ matrix.node-version }} on ${{ matrix.os }}
     runs-on: ${{ matrix.os }}
 
+    permissions:
+      contents: read
+
     strategy:
       matrix:
         node-version: [20.x, 22.x, 24.x]
         os: [ubuntu-latest, macos-26]
-        node-options: '--test-coverage-exclude="test/**/*.js"' # shared default node options
+        # Shared default node options
+        node-options: '--test-coverage-exclude="test/**/*.js"'
 
         include:
           # Override default node options for node 20.x
@@ -61,23 +95,12 @@ jobs:
           node --version
           npm --version
 
-      - uses: github/codeql-action/init@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4.35.5
-        with:
-          languages: javascript
-          queries: security-and-quality
-          config: |
-            paths-ignore:
-              - coverage
-              - node_modules
-
       - name: npm install and test
         run: npm cit
         env:
           CI: true
           NODE_OPTIONS: ${{ matrix.node-options }}
 
-      - uses: github/codeql-action/analyze@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4.35.5
-
       - uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238 # v4.6.0
         if: success()
         with:
