Enable codeql for github actions

.github/workflows/approval-comment.yaml

@@ -7,6 +7,8 @@ jobs:
     if: startsWith(github.event.review.body, '/karpenter snapshot') || startsWith(github.event.review.body, '/karpenter scale') || startsWith(github.event.review.body, '/karpenter versionCompatibility')
     runs-on: ubuntu-latest
     steps:
+      - run: |
+          echo "${{ github.event.review.body }}"
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
           fetch-depth: 0

.github/workflows/codeql.yaml

@@ -0,0 +1,47 @@
+name: "CodeQL"
+on:
+  push:
+    branches:
+      - 'main'
+      - 'release-v*'
+  pull_request:
+  schedule:
+    - cron: '0 12 * * *'
+jobs:
+  analyze-go:
+    name: Analyze Go
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read # github/codeql-action/init@v2
+      security-events: write # github/codeql-action/init@v2
+    steps:
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - uses: ./.github/actions/install-deps
+      - run: make vulncheck
+      - uses: github/codeql-action/init@df32e399139a3050671466d7d9b3cbacc1cfd034 # v2.22.8
+        with:
+          languages: go
+      - uses: github/codeql-action/autobuild@df32e399139a3050671466d7d9b3cbacc1cfd034 # v2.22.8
+      - uses: github/codeql-action/analyze@df32e399139a3050671466d7d9b3cbacc1cfd034 # v2.22.8
+  # Javascript is added here for evaluating Github Action vulnerabilities
+  # https://github.blog/2023-08-09-four-tips-to-keep-your-github-actions-workflows-secure/#2-enable-code-scanning-for-workflows
+  analyze-github-actions:
+    name: Analyze Github Actions
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read # github/codeql-action/init@v2
+      security-events: write # github/codeql-action/init@v2
+    steps:
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - uses: github/codeql-action/init@df32e399139a3050671466d7d9b3cbacc1cfd034 # v2.22.8
+        with:
+          languages: javascript
+          config: |
+            packs:
+              # Use the latest version of 'codeql-javascript' published by 'advanced-security'
+              # This will catch things like actions that aren't pinned to a hash
+              - advanced-security/codeql-javascript
+            paths:
+              - '.github/workflows'
+              - '.github/actions'
+      - uses: github/codeql-action/analyze@df32e399139a3050671466d7d9b3cbacc1cfd034 # v2.22.8

.github/workflows/e2e-soak-trigger.yaml

@@ -11,7 +11,7 @@ jobs:
     outputs:
       PREEXISTING_CLUSTERS: ${{ steps.list_clusters.outputs.PREEXISTING_CLUSTERS }}
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
     - name: configure aws credentials
       uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a
       with:

.github/workflows/resource-count.yaml

@@ -16,7 +16,7 @@ jobs:
     steps:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - name: configure aws credentials
-        uses: aws-actions/[email protected]
+        uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
         with:
           role-to-assume: arn:aws:iam::${{ vars.ACCOUNT_ID }}:role/${{ vars.ROLE_NAME }}
           aws-region: ${{ matrix.region }}