Create codeql.yml

.cspell.json

@@ -50,13 +50,16 @@
     "KERNELVERSION",
     "Kortumstraße",
     "NOTSET",
+    "PYTHONPATH",
     "REPOPATH",
+    "STDLIB",
     "TARGETARCH",
     "TOOLSDIR",
     "Taskfile",
     "acpica",
     "addinivalue",
     "addoption",
+    "autobuild",
     "automerge",
     "autopep",
     "blkio",
@@ -67,6 +70,7 @@
     "cmds",
     "cocogitto",
     "commitlint",
+    "compileall",
     "complgen",
     "composefile",
     "coreboot",
@@ -91,6 +95,7 @@
     "elif",
     "emeraldlake",
     "endgroup",
+    "endswith",
     "exitcode",
     "filenamify",
     "githubaction",
@@ -142,16 +147,19 @@
     "pytest",
     "rdparty",
     "readarray",
+    "relpath",
     "rootdir",
     "runslow",
     "rustup",
     "savedefconfig",
     "seabios",
     "setenv",
     "sethvargo",
+    "setuptools",
     "shellcheck",
     "skipframes",
     "sloglint",
+    "splitext",
     "startswith",
     "staticcheck",
     "stmsg",

.github/codeql/codeql-config.yml

@@ -0,0 +1,6 @@
+paths:
+  - .dagger-ci
+paths-ignore:
+  - '**/node_modules/**'
+  - '**/vendor/**'
+  - '**/tests/**'

.github/workflows/codeql.yml

@@ -0,0 +1,172 @@
+---
+name: 'CodeQL Advanced'
+
+on:
+  push:
+    branches: ['main']
+  pull_request:
+    branches: ['main']
+  schedule:
+    # Run on Sunday at 23:25
+    - cron: '25 23 * * 0'
+
+permissions: read-all
+
+jobs:
+  analyze:
+    name: Analyze (${{ matrix.language }})
+    # Runner size impacts CodeQL analysis time. To learn more, please see:
+    #   - https://gh.io/recommended-hardware-resources-for-running-codeql
+    #   - https://gh.io/supported-runners-and-hardware-resources
+    #   - https://gh.io/using-larger-runners (GitHub.com only)
+    # Consider using larger runners or machines with greater resources for possible analysis time improvements.
+    runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }}
+    permissions:
+      # required for all workflows
+      security-events: write
+
+      # required to fetch internal or private CodeQL packs
+      packages: read
+
+      # only required for workflows in private repositories
+      actions: read
+      contents: read
+
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - language: actions
+            build-mode: none
+          - language: go
+            build-mode: autobuild
+          - language: javascript-typescript
+            build-mode: none
+          - language: python
+            build-mode: none
+        # CodeQL supports the following values keywords for 'language': 'actions', 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'swift'
+        # Use `c-cpp` to analyze code written in C, C++ or both
+        # Use 'java-kotlin' to analyze code written in Java, Kotlin or both
+        # Use 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both
+        # To learn more about changing the languages that are analyzed or customizing the build mode for your analysis,
+        # see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning.
+        # If you are analyzing a compiled language, you can modify the 'build-mode' for that language to customize how
+        # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      # Additional steps: Python
+      - name: Setup python
+        if: ${{ matrix.language == 'python' }}
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.x'
+
+      - name: Install deps
+        if: ${{ matrix.language == 'python' }}
+        run: |
+          curl -SL "$( curl -s https://api.github.com/repos/docker/compose/releases/latest | grep 'browser_download_url' | grep "docker-compose-linux-$(uname -m)" | grep -v '.sha256' | sed -E 's/.*https/https/g' | sed -E 's/\"//g' | grep -vE '.json$' )" -o docker-compose
+          sudo mv docker-compose /usr/local/bin/docker-compose
+          sudo chmod +x /usr/local/bin/docker-compose
+          docker-compose --version
+          docker-compose -f docker/compose.yaml config
+
+      - name: Install Python dependencies
+        if: ${{ matrix.language == 'python' }}
+        run: |
+          pip install -r ./.dagger-ci/daggerci/requirements.txt
+
+      # Copy Python files to a standard location
+      - name: Copy Python files to standard location
+        if: ${{ matrix.language == 'python' }}
+        run: |
+          # Create a standard Python project structure
+          mkdir -p /tmp/python-project/src
+
+          # Copy all Python files from .dagger-ci to the standard location
+          cp -r ./.dagger-ci/* /tmp/python-project/src/
+
+          # Create a setup.py file to make it look like a standard Python project
+          cat > /tmp/python-project/setup.py << 'EOF'
+          from setuptools import setup, find_packages
+
+          setup(
+              name="daggerci",
+              version="0.1",
+              packages=find_packages(where="src"),
+              package_dir={"": "src"}
+          )
+          EOF
+
+          # List all files in the standard location to verify
+          find /tmp/python-project -type f | sort
+
+      # Initializes the CodeQL tools for scanning.
+      - name: Initialize CodeQL for not-Python
+        if: ${{ matrix.language != 'python' }}
+        uses: github/codeql-action/init@v3
+        with:
+          languages: ${{ matrix.language }}
+          build-mode: ${{ matrix.build-mode }}
+          config-file: .github/codeql/codeql-config.yml
+
+      - name: Initialize CodeQL for Python
+        if: ${{ matrix.language == 'python' }}
+        uses: github/codeql-action/init@v3
+        with:
+          languages: ${{ matrix.language }}
+          build-mode: ${{ matrix.build-mode }}
+          config-file: .github/codeql/codeql-config.yml
+        env:
+          # Extract the standard library to help with imports
+          CODEQL_EXTRACTOR_PYTHON_EXTRACT_STDLIB: true
+          # Set the Python path to include our repository
+          PYTHONPATH: ${{ github.workspace }}/.dagger-ci:${{ github.workspace }}
+
+      # Run a Python script that imports all modules to ensure they're analyzed
+      - name: Run Python imports for CodeQL
+        if: ${{ matrix.language == 'python' }}
+        run: |
+          # Create a script that imports all Python modules
+          cat > /tmp/import_all.py << 'EOF'
+          import os
+          import sys
+          import importlib
+
+          # Add the repository root to the Python path
+          repo_root = os.environ.get('GITHUB_WORKSPACE', '/home/runner/work/firmware-action/firmware-action')
+          sys.path.insert(0, repo_root)
+
+          # Add the .dagger-ci directory to the Python path
+          dagger_ci_path = os.path.join(repo_root, '.dagger-ci')
+          sys.path.insert(0, dagger_ci_path)
+
+          # Find all Python files in the .dagger-ci directory
+          for root, dirs, files in os.walk(dagger_ci_path):
+              for file in files:
+                  if file.endswith('.py'):
+                      # Convert file path to module name
+                      rel_path = os.path.relpath(os.path.join(root, file), dagger_ci_path)
+                      module_name = os.path.splitext(rel_path)[0].replace(os.path.sep, '.')
+
+                      # Skip __init__.py files
+                      if module_name.endswith('__init__'):
+                          module_name = module_name[:-9]
+
+                      # Try to import the module
+                      print(f"Trying to import: {module_name}")
+                      try:
+                          importlib.import_module(module_name)
+                          print(f"Successfully imported: {module_name}")
+                      except Exception as e:
+                          print(f"Failed to import {module_name}: {e}")
+          EOF
+
+          # Run the import script
+          PYTHONPATH=${{ github.workspace }}/.dagger-ci:${{ github.workspace }} python /tmp/import_all.py
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v3
+        with:
+          category: '/language:${{matrix.language}}'