.github/workflows/pop.yml

name: POP - poutine on poutine

on:
  push:
    branches: [ main ]
    paths:
      - .github/workflows/**
      - action.yml

  pull_request:
    branches: [ main ]
    paths:
      - .github/workflows/**
      - action.yml
    paths-ignore:
      - 'docs/**'

permissions: {}

jobs:
  pop:
    runs-on: ubuntu-latest
    permissions:
      security-events: write
      contents: read
    steps:
    - uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1
      with:
        disable-sudo: true
        egress-policy: audit
        allowed-endpoints: >
          github.com:443
          api.github.com:443
          codeload.github.com:443
          objects.githubusercontent.com:443
    - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
    - uses: boostsecurityio/poutine-action@main # Dogfood the latest action
      name: "Run poutine on poutine's own codebase"
      id: self-test
    - name: Upload SARIF file
      uses: github/codeql-action/upload-sarif@d39d31e687223d841ef683f52467bd88e9b21c14 # v3.25.3
      with:
        sarif_file: results.sarif