diff --git a/.cspell.json b/.cspell.json index f7a933e0..e0430305 100644 --- a/.cspell.json +++ b/.cspell.json @@ -50,13 +50,16 @@ "KERNELVERSION", "Kortumstraße", "NOTSET", + "PYTHONPATH", "REPOPATH", + "STDLIB", "TARGETARCH", "TOOLSDIR", "Taskfile", "acpica", "addinivalue", "addoption", + "autobuild", "automerge", "autopep", "blkio", @@ -67,6 +70,7 @@ "cmds", "cocogitto", "commitlint", + "compileall", "complgen", "composefile", "coreboot", @@ -91,6 +95,7 @@ "elif", "emeraldlake", "endgroup", + "endswith", "exitcode", "filenamify", "githubaction", @@ -142,6 +147,7 @@ "pytest", "rdparty", "readarray", + "relpath", "rootdir", "runslow", "rustup", @@ -149,9 +155,11 @@ "seabios", "setenv", "sethvargo", + "setuptools", "shellcheck", "skipframes", "sloglint", + "splitext", "startswith", "staticcheck", "stmsg", diff --git a/.github/codeql/codeql-config.yml b/.github/codeql/codeql-config.yml new file mode 100644 index 00000000..124a9da2 --- /dev/null +++ b/.github/codeql/codeql-config.yml @@ -0,0 +1,6 @@ +paths: + - .dagger-ci +paths-ignore: + - '**/node_modules/**' + - '**/vendor/**' + - '**/tests/**' diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 00000000..761329f6 --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,172 @@ +--- +name: 'CodeQL Advanced' + +on: + push: + branches: ['main'] + pull_request: + branches: ['main'] + schedule: + # Run on Sunday at 23:25 + - cron: '25 23 * * 0' + +permissions: read-all + +jobs: + analyze: + name: Analyze (${{ matrix.language }}) + # Runner size impacts CodeQL analysis time. To learn more, please see: + # - https://gh.io/recommended-hardware-resources-for-running-codeql + # - https://gh.io/supported-runners-and-hardware-resources + # - https://gh.io/using-larger-runners (GitHub.com only) + # Consider using larger runners or machines with greater resources for possible analysis time improvements. + runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} + permissions: + # required for all workflows + security-events: write + + # required to fetch internal or private CodeQL packs + packages: read + + # only required for workflows in private repositories + actions: read + contents: read + + strategy: + fail-fast: false + matrix: + include: + - language: actions + build-mode: none + - language: go + build-mode: autobuild + - language: javascript-typescript + build-mode: none + - language: python + build-mode: none + # CodeQL supports the following values keywords for 'language': 'actions', 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'swift' + # Use `c-cpp` to analyze code written in C, C++ or both + # Use 'java-kotlin' to analyze code written in Java, Kotlin or both + # Use 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both + # To learn more about changing the languages that are analyzed or customizing the build mode for your analysis, + # see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning. + # If you are analyzing a compiled language, you can modify the 'build-mode' for that language to customize how + # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + # Additional steps: Python + - name: Setup python + if: ${{ matrix.language == 'python' }} + uses: actions/setup-python@v5 + with: + python-version: '3.x' + + - name: Install deps + if: ${{ matrix.language == 'python' }} + run: | + curl -SL "$( curl -s https://api.github.com/repos/docker/compose/releases/latest | grep 'browser_download_url' | grep "docker-compose-linux-$(uname -m)" | grep -v '.sha256' | sed -E 's/.*https/https/g' | sed -E 's/\"//g' | grep -vE '.json$' )" -o docker-compose + sudo mv docker-compose /usr/local/bin/docker-compose + sudo chmod +x /usr/local/bin/docker-compose + docker-compose --version + docker-compose -f docker/compose.yaml config + + - name: Install Python dependencies + if: ${{ matrix.language == 'python' }} + run: | + pip install -r ./.dagger-ci/daggerci/requirements.txt + + # Copy Python files to a standard location + - name: Copy Python files to standard location + if: ${{ matrix.language == 'python' }} + run: | + # Create a standard Python project structure + mkdir -p /tmp/python-project/src + + # Copy all Python files from .dagger-ci to the standard location + cp -r ./.dagger-ci/* /tmp/python-project/src/ + + # Create a setup.py file to make it look like a standard Python project + cat > /tmp/python-project/setup.py << 'EOF' + from setuptools import setup, find_packages + + setup( + name="daggerci", + version="0.1", + packages=find_packages(where="src"), + package_dir={"": "src"} + ) + EOF + + # List all files in the standard location to verify + find /tmp/python-project -type f | sort + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL for not-Python + if: ${{ matrix.language != 'python' }} + uses: github/codeql-action/init@v3 + with: + languages: ${{ matrix.language }} + build-mode: ${{ matrix.build-mode }} + config-file: .github/codeql/codeql-config.yml + + - name: Initialize CodeQL for Python + if: ${{ matrix.language == 'python' }} + uses: github/codeql-action/init@v3 + with: + languages: ${{ matrix.language }} + build-mode: ${{ matrix.build-mode }} + config-file: .github/codeql/codeql-config.yml + env: + # Extract the standard library to help with imports + CODEQL_EXTRACTOR_PYTHON_EXTRACT_STDLIB: true + # Set the Python path to include our repository + PYTHONPATH: ${{ github.workspace }}/.dagger-ci:${{ github.workspace }} + + # Run a Python script that imports all modules to ensure they're analyzed + - name: Run Python imports for CodeQL + if: ${{ matrix.language == 'python' }} + run: | + # Create a script that imports all Python modules + cat > /tmp/import_all.py << 'EOF' + import os + import sys + import importlib + + # Add the repository root to the Python path + repo_root = os.environ.get('GITHUB_WORKSPACE', '/home/runner/work/firmware-action/firmware-action') + sys.path.insert(0, repo_root) + + # Add the .dagger-ci directory to the Python path + dagger_ci_path = os.path.join(repo_root, '.dagger-ci') + sys.path.insert(0, dagger_ci_path) + + # Find all Python files in the .dagger-ci directory + for root, dirs, files in os.walk(dagger_ci_path): + for file in files: + if file.endswith('.py'): + # Convert file path to module name + rel_path = os.path.relpath(os.path.join(root, file), dagger_ci_path) + module_name = os.path.splitext(rel_path)[0].replace(os.path.sep, '.') + + # Skip __init__.py files + if module_name.endswith('__init__'): + module_name = module_name[:-9] + + # Try to import the module + print(f"Trying to import: {module_name}") + try: + importlib.import_module(module_name) + print(f"Successfully imported: {module_name}") + except Exception as e: + print(f"Failed to import {module_name}: {e}") + EOF + + # Run the import script + PYTHONPATH=${{ github.workspace }}/.dagger-ci:${{ github.workspace }} python /tmp/import_all.py + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v3 + with: + category: '/language:${{matrix.language}}'