Some cleanup and boyscouting #6640

	name: "CodeQL"

	on:
	push:
	branches: [main]
	pull_request:
	branches: [main]
	env:
	python_version: '3.12'

	permissions:
	contents: read

	jobs:
	analyze:
	permissions:
	security-events: write # for github/codeql-action/autobuild to send a status report
	name: Analyze
	runs-on: ubuntu-22.04
	steps:
	- name: Harden Runner
	uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1
	with:
	egress-policy: audit

	- name: Checkout repository
	uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
	- name: Set up Python
	uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
	with:
	python-version: ${{ env.python_version }}
	cache: pip
	- name: Install Linux Dependencies
	run: >
	sudo apt-get update -qq && sudo apt-get install -qq --no-install-recommends
	libgirepository1.0-dev
	- name: Install Poetry
	run: python${{ env.python_version }} -m pip install --constraint=.github/constraints.txt poetry
	- name: Configure Poetry
	run: poetry config virtualenvs.in-project true
	- name: Install Python Dependencies
	run: \|
	poetry install --no-interaction
	- name: Initialize CodeQL
	uses: github/codeql-action/init@b7cec7526559c32f1616476ff32d17ba4c59b2d6 # v3.25.5
	with:
	languages: python
	# Override the default behavior so that the action doesn't attempt
	# to auto-install Python dependencies
	setup-python-dependencies: false
	- name: Perform CodeQL Analysis
	uses: github/codeql-action/analyze@b7cec7526559c32f1616476ff32d17ba4c59b2d6 # v3.25.5

Provide feedback