Create hotspots.yml

Alvaro Muñoz · web-flow · commit b9be2eeaf713 · 2024-11-29T14:34:42.000+01:00
diff --git a/.github/workflows/hotspots.yml b/.github/workflows/hotspots.yml
@@ -0,0 +1,123 @@
+name: "Hotspots CodeQL Build/Publish"
+
+on:
+  workflow_dispatch:
+    inputs:
+      version:
+        description: "QLPack version"
+        required: true
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - language: cpp
+            runner: ubuntu-latest
+          - language: csharp
+            runner: ubuntu-latest
+          - language: go
+            runner: ubuntu-latest
+          - language: java
+            runner: ubuntu-latest-xl
+          - language: javascript
+            runner: ubuntu-latest
+          - language: python
+            runner: ubuntu-latest
+          - language: ruby
+            runner: ubuntu-latest
+    steps:
+      - name: Checkout github/codeql
+        uses: actions/checkout@v2
+        with:
+          path: codeql
+          repository: github/codeql
+          token: ${{ secrets.GHSECURITYLAB_TOKEN }}
+          fetch-depth: 0
+
+      - name: Checkout github/codeql-community-packs
+        uses: actions/checkout@v2
+        with:
+          path: codeql-community-packs
+          repository: github/codeql-community-packs
+          ref: ${{ github.ref }}
+
+      - name: Find codeql
+        id: find-codeql
+        uses: github/codeql-action/init@aa93aea877e5fb8841bcb1193f672abf6e9f2980
+        with:
+          languages: javascript # does not matter
+        
+      - name: Initialize CodeQL
+        id: init
+        run: |
+          # Take the most modern version
+          VERSION="$(find "${{ runner.tool_cache }}/CodeQL/" -maxdepth 1 -mindepth 1 -type d -print \
+                     | sort \
+                     | tail -n 1 \
+                     | tr -d '\n')"
+
+          CODEQL="$VERSION/x64/codeql/"
+          "${CODEQL}"/codeql version --format=json
+          echo "${CODEQL}" >> $GITHUB_PATH
+
+      - name: Create CodeQL config
+        run: |
+          mkdir -p ~/.config/codeql
+          echo '--search-path /home/runner/work/codeql-community-packs/codeql-community-packs/codeql/ql/extractor-pack' >> ~/.config/codeql/config
+
+      - name: Install QL extractor
+        working-directory: codeql/ql
+        run: |
+          ./scripts/create-extractor-pack.sh
+
+      - name: Patch the CodeQL distro
+        working-directory: codeql-community-packs
+        run: |
+          ls -la "$GITHUB_WORKSPACE/codeql-community-packs/ql/hotspots/Hotspots.ql"
+          pip install pandas
+          python scripts/generate-hotspots-queries.py \
+            --ql-extractor "$GITHUB_WORKSPACE/codeql/ql/extractor-pack" \
+            --ql-path "$GITHUB_WORKSPACE/codeql"
+          python scripts/patch-codeql.py \
+            --hotspots "$GITHUB_WORKSPACE/codeql-community-packs/ql/hotspots/output" \
+            --ql "$GITHUB_WORKSPACE/codeql" \
+            --dest "$GITHUB_WORKSPACE/codeql-patched" \
+            --qlpack-version ${{ inputs.version }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Check and publish hotspots lib packs
+        working-directory: codeql-patched
+        env:
+          GITHUB_TOKEN: ${{ secrets.GHCR_TOKEN }}
+        run: |
+          PUBLISHED_VERSION=$(gh api /orgs/githubsecuritylab/packages/container/hotspots-${{ matrix.language }}-all/versions --jq '.[0].metadata.container.tags[0]')
+          CURRENT_VERSION=$(grep version ${{ matrix.language }}/ql/lib/qlpack.yml | awk '{print $2}')
+
+          echo "Published lib version: $PUBLISHED_VERSION"
+          echo "Local lib version: $CURRENT_VERSION"
+          if [ "$PUBLISHED_VERSION" != "$CURRENT_VERSION" ]; then
+            codeql pack install "${{ matrix.language }}/ql/lib"
+            codeql pack publish "${{ matrix.language }}/ql/lib"
+          fi
+
+      - name: Check and publish hotspots src packs
+        working-directory: codeql-patched
+        env:
+          GITHUB_TOKEN: ${{ secrets.GHCR_TOKEN }}
+        run: |
+          PUBLISHED_VERSION=$(gh api /orgs/githubsecuritylab/packages/container/hotspots-${{ matrix.language }}-queries/versions --jq '.[0].metadata.container.tags[0]')
+          CURRENT_VERSION=$(grep version ${{ matrix.language }}/ql/src/qlpack.yml | awk '{print $2}')
+
+          echo "Published queries version: $PUBLISHED_VERSION"
+          echo "Local queries version: $CURRENT_VERSION"
+          if [ "$PUBLISHED_VERSION" != "$CURRENT_VERSION" ]; then
+            codeql pack install "${{ matrix.language }}/ql/src"
+            codeql pack publish "${{ matrix.language }}/ql/src"
+          fi
