Skip to content
CodeQL

chore: update global workflows #144

Sign in to view logs

chore: update global workflows

chore: update global workflows #144

Workflow file for this run

.github/workflows/codeql.yml at 6a565f4
---
# This workflow is centrally managed in https://github.com/<organization>/.github/
# Don't make changes to this file in this repo as they will be overwritten with changes made to the same file in
# the above-mentioned repo.
# This workflow will analyze all supported languages in the repository using CodeQL Analysis.
name: "CodeQL"
permissions:
contents: read
on:
push:
branches:
- master
pull_request:
branches:
- master
schedule:
- cron: '00 12 * * 0' # every Sunday at 12:00 UTC
concurrency:
group: "${{ github.workflow }}-${{ github.ref }}"
cancel-in-progress: true
jobs:
languages:
name: Get language matrix
outputs:
matrix: ${{ steps.lang.outputs.result }}
continue: ${{ steps.continue.outputs.result }}
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Get repo languages
id: lang
uses: actions/github-script@v7
with:
script: |
// CodeQL supports the following:
// ['actions', 'c', 'cpp', 'csharp', 'go', 'java', 'javascript', 'kotlin', 'python', 'ruby', 'swift']
// Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
const supported_languages = [
'cpp',
'csharp',
'go',
'java',
'javascript',
'python',
'ruby',
'swift',
]
const remap_languages = {
'c': 'cpp',
'c++': 'cpp',
'c#': 'csharp',
'kotlin': 'java',
'typescript': 'javascript',
}
const repo = context.repo
const response = await github.rest.repos.listLanguages(repo)
let matrix = {
"include": []
}
// Track languages we've already added to avoid duplicates
const addedLanguages = new Set()
// Check if workflow files exist to determine if we should add actions language
const fs = require('fs');
const hasYmlFiles = fs.existsSync('.github/workflows') &&
fs.readdirSync('.github/workflows').some(file => file.endsWith('.yml') || file.endsWith('.yaml'));
// Add actions language if workflow files exist
if (hasYmlFiles) {
console.log('Found GitHub Actions workflow files. Adding actions to the matrix.');
matrix['include'].push({
"category": "/language:actions",
"language": "actions",
"name": "actions",
"os": "ubuntu-latest",
"build-mode": "none",
});
}
for (let [key, value] of Object.entries(response.data)) {
// remap language
if (remap_languages[key.toLowerCase()]) {
console.log(`Remapping language: ${key} to ${remap_languages[key.toLowerCase()]}`)
key = remap_languages[key.toLowerCase()]
}
const normalizedKey = key.toLowerCase()
if (supported_languages.includes(normalizedKey) && !addedLanguages.has(normalizedKey)) {
// Mark this language as added
addedLanguages.add(normalizedKey)
console.log(`Found supported language: ${normalizedKey}`)
let osList = ['ubuntu-latest'];
if (normalizedKey === 'swift') {
osList = ['macos-latest'];
}
for (let os of osList) {
// set name for matrix
let name = osList.length === 1 ? normalizedKey : `${normalizedKey}, ${os}`
// set category for matrix
let category = `/language:${normalizedKey}`
let build_mode = 'none';
// Set build mode based on language
switch (normalizedKey) {
case 'csharp':
build_mode = 'autobuild'
break
case 'go':
build_mode = 'autobuild'
break
case 'java':
build_mode = 'autobuild'
break
default:
build_mode = 'none'
}
// add to matrix
matrix['include'].push({
"category": category,
"language": normalizedKey,
"name": name,
"os": os,
"build-mode": build_mode,
})
}
}
}
// print languages
console.log(`matrix: ${JSON.stringify(matrix)}`)
return matrix
- name: Continue
id: continue
uses: actions/github-script@v7
with:
script: |
// if matrix['include'] is an empty list return false, otherwise true
const matrix = ${{ steps.lang.outputs.result }} // this is already json encoded
if (matrix['include'].length == 0) {
return false
} else {
return true
}
analyze:
name: Analyze (${{ matrix.name }})
if: needs.languages.outputs.continue == 'true'
env:
GITHUB_CODEQL_BUILD: true
needs: languages
permissions:
actions: read
contents: read
security-events: write
runs-on: ${{ matrix.os || 'ubuntu-latest' }}
strategy:
fail-fast: false
matrix: ${{ fromJson(needs.languages.outputs.matrix) }}
timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 60 }}
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
submodules: recursive
# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: ${{ matrix.language }}
# If you wish to specify custom queries, you can do so here or in a config file.
# By default, queries listed here will override any specified in a config file.
# Prefix the list here with "+" to use these queries and those in the config file.
# yamllint disable-line rule:line-length
# For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
# queries: security-extended,security-and-quality
config: |
paths-ignore:
- build
- node_modules
- third-party
build-mode: ${{ matrix.build-mode || 'none' }}
# Autobuild attempts to build any compiled languages (C/C++, C#, Go, Java, or Swift).
- name: Autobuild
if: matrix.build-mode == 'autobuild'
uses: github/codeql-action/autobuild@v3
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
with:
category: "${{ matrix.category }}"
output: sarif-results
upload: failure-only
- name: filter-sarif
uses: advanced-security/filter-sarif@v1
with:
input: sarif-results/${{ matrix.language }}.sarif
output: sarif-results/${{ matrix.language }}.sarif
patterns: |
-build/**
-node_modules/**
-third\-party/**
- name: Upload SARIF
uses: github/codeql-action/upload-sarif@v3
with:
category: "${{ matrix.category }}"
sarif_file: sarif-results/${{ matrix.language }}.sarif
- name: Upload loc as a Build Artifact
uses: actions/upload-artifact@v4
with:
name: sarif-results-${{ matrix.language }}-${{ runner.os }}
path: sarif-results
if-no-files-found: error
retention-days: 1