diff --git a/.github/codeql/codeql-config.yml b/.github/codeql/codeql-config.yml new file mode 100644 index 00000000000..df477b4883a --- /dev/null +++ b/.github/codeql/codeql-config.yml @@ -0,0 +1,55 @@ +name: "CodeQL Config" + +# Exclude paths to reduce disk space usage during CodeQL analysis +# This prevents analyzing unnecessary files that consume disk space +paths-ignore: + # Dependencies - don't analyze third-party code + - "**/node_modules" + - "**/yarn.lock" + - "**/package-lock.json" + + # Build artifacts - generated code doesn't need analysis + - "**/dist" + - "**/lib" + - "**/compiled" + - "**/build" + - "**/www" + - "**/release" + + # Test fixtures and snapshots + - "**/__mocks__" + - "**/__image_snapshots__" + - "**/_fixtures" + - "**/fixture" + - "**/test/**/*.png" + - "**/test/**/*.jpg" + - "**/test/**/*.svg" + - "**/integration-tests/**/*.png" + + # Example and playground files - not production code + - "**/example" + - "**/examples" + - "**/playground" + - "**/website" + - "**/docs" + + # Generated files + - "**/*.map" + - "**/*.min.js" + - "**/*.min.css" + + # Large standalone packages - exclude website and release directories + - "standalone-packages/monaco-editor/website" + - "standalone-packages/monaco-editor/release" + - "standalone-packages/vscode-editor/release" + - "standalone-packages/vscode-textmate/**/*.result" + - "standalone-packages/vscode-textmate/**/*.patch" + + # Static assets + - "**/static/fonts" + - "**/static/img" + - "**/public" + + # CI/CD files + - "**/Dockerfile*" + - "**/.circleci" diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 00000000000..5e1e3aa8d9c --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,83 @@ +name: "CodeQL" + +on: + push: + branches: [ "main" ] + pull_request: + branches: [ "main" ] + schedule: + - cron: '0 0 * * 0' + +jobs: + analyze: + name: Analyze (${{ matrix.language }}) + runs-on: ubuntu-latest + permissions: + # required for all workflows + security-events: write + # required to fetch internal or private CodeQL packs + packages: read + # only required for workflows in private repositories + actions: read + contents: read + + strategy: + fail-fast: false + matrix: + include: + - language: javascript-typescript + build-mode: none + + steps: + - name: Clean up disk space + run: | + echo "Disk space before cleanup:" + df -h + echo "" + echo "Cleaning up unnecessary files to free disk space..." + + # Remove large tool directories that aren't needed for JavaScript/TypeScript CodeQL analysis + # These tools will be re-downloaded by GitHub Actions if needed for other jobs + sudo rm -rf /usr/share/dotnet + sudo rm -rf /opt/ghc + sudo rm -rf /usr/local/share/boost + sudo rm -rf /usr/local/lib/android + sudo rm -rf /opt/az + + # Remove large tool caches (CodeQL will re-download only what it needs) + sudo rm -rf "$AGENT_TOOLSDIRECTORY" + + # Clean up system caches + sudo apt-get clean + sudo rm -rf /var/lib/apt/lists/* + + # Remove Docker images if Docker is installed (not needed for CodeQL) + docker system prune -af || true + + # Remove pip cache + rm -rf ~/.cache/pip || true + + # Remove npm cache (will be recreated during checkout if needed) + npm cache clean --force || true + + echo "" + echo "Disk space after cleanup:" + df -h + + - name: Checkout repository + uses: actions/checkout@v4 + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@v4 + with: + languages: ${{ matrix.language }} + build-mode: ${{ matrix.build-mode }} + # Use our custom config file to exclude unnecessary files + config-file: ./.github/codeql/codeql-config.yml + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v4 + with: + category: "/language:${{matrix.language}}" +