ci(security): codeql analysis workflow (#3)

.github/CODEOWNERS

@@ -0,0 +1,9 @@
+# This is a comment.
+# Each line is a file pattern followed by one or more owners.
+# See https://docs.github.com/en/github/creating-cloning-and-archiving-repositories/creating-a-repository-on-github/about-code-owners
+
+# These owners will be the default owners for everything in
+# the repo. Unless a later match takes precedence,
+# @global-owner1 and @global-owner2 will be requested for
+# review when someone opens a pull request.
+*       @aabouzaid

.github/workflows/go-ci.yml

@@ -1,4 +1,4 @@
-name: Go CI
+name: Go - CI
 on:
   push:
     branches:
@@ -28,7 +28,7 @@ jobs:
     needs: ["lint"]
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
     - uses: actions/setup-go@v4
       with:
         go-version: '1.21'

.github/workflows/sec-codeql.yml

@@ -0,0 +1,41 @@
+name: Security - CodeQL
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [ main ]
+  schedule:
+    - cron: '11 0 * * 5'
+  workflow_dispatch:
+
+jobs:
+  analyze:
+    name: Analyze Code
+    permissions:
+      security-events: write
+      actions: read
+      contents: read
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+    - name: Setup Golang Caches
+      uses: actions/cache@v3
+      with:
+        path: |
+          ~/.cache/go-build
+          ~/go/pkg/mod
+        key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+        restore-keys: |
+          ${{ runner.os }}-go-
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v2
+      with:
+        languages: go
+    # Autobuild attempts to build any compiled languages.
+    - name: Autobuild
+      uses: github/codeql-action/autobuild@v2
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v2