wmnut/.github/workflows/05-codeql.yml at e116e82bd29ac73ccd5419a600ff1fc58a37bf30 · jimklimov/wmnut · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
# The contents below are based on sample configuration from CodeQL
# and on the variant of that file used in the main NUT repository.
#
name: "GHA-05: CodeQL"

on:
  push:
    branches: [ "master" ]
  pull_request:
    # The branches below must be a subset of the branches above
    branches: [ "master" ]
  schedule:
    - cron: "18 2 * * 0"
  workflow_dispatch:
    # Allow manually running the action, e.g. if disabled after some quietness in the source

jobs:
  analyze:
    name: Analyze
    runs-on: ${{ matrix.os }}
    permissions:
      actions: read
      contents: read
      security-events: write

    strategy:
      fail-fast: false
      matrix:
        # https://docs.github.com/en/actions/using-jobs/using-a-matrix-for-your-jobs
        language: [ 'cpp' ]
          # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ]
          # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
        nutsrc: [ 'pkg280', 'trunk' ]
          # Build with OS-provided NUT package (or build v2.8.0 if pkg is too old), or NUT trunk?
        os: [ 'ubuntu-latest' ]
          # TOTHINK: windows-latest, macos-latest?
        build-mode: [ 'manual' ]
          # https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages
          # Abusing "manual" here to try building with ccache (and
          # have codeql not intercept that build but parse C/C++
          # files on its own), and "manual" to custom-build without;
          # the "autobuild" mode is handled by codeql itself but
          # would probably ignore our CC/CXX setting
          # NOTE: We do not add ccache to PATH when actually compiling NUT code
          # (we only speed up "configure" stages), so compilation always happens
          # and is parsed by current CodeQL detectors of the day as they evolve!
        compiler: [ 'CC=gcc CXX=g++', 'CC=clang CXX=clang++' ]

    steps:
    - name: Checkout repository
      uses: actions/checkout@v3

    # Using hints from https://askubuntu.com/questions/272248/processing-triggers-for-man-db
    - if: matrix.language == 'cpp' && matrix.os == 'ubuntu-latest'
      name: NUT CI Prerequisite packages (Ubuntu)
      run: |
        echo "set man-db/auto-update false" | sudo debconf-communicate
        sudo dpkg-reconfigure man-db
        sudo apt update
        case x"${{matrix.compiler}}" in x*clang*) sudo apt install clang ;; x*) sudo apt install gcc g++ ;; esac
        sudo apt install libxpm-dev libxext-dev libupsclient-dev libc6-dev-amd64-cross libgcc-s1-amd64-cross ccache
        date > .timestamp-init

    - name: Prepare ccache
      # Based on https://docs.github.com/en/actions/reference/workflows-and-actions/dependency-caching#example-using-the-cache-action example
      id: cache-ccache
      uses: actions/cache@v4
      env:
        cache-name: cache-ccache-${{ matrix.nutsrc }}-${{ matrix.compiler }}
      with:
        path: |
            ~/.ccache
            ~/.cache/ccache
            ~/.config/ccache/ccache.conf
        key: ${{ runner.os }}-build-${{ env.cache-name }}-${{ hashFiles('**/.timestamp-init') }}
        restore-keys: |
          ${{ runner.os }}-build-${{ env.cache-name }}-
          ${{ runner.os }}-build-
          ${{ runner.os }}-

    - name: CCache stats before build
      run: |
        ccache -sv || ccache -s || echo "FAILED to read ccache info, oh well"
        rm -f .timestamp-init

    - if: matrix.language == 'cpp' && matrix.os == 'ubuntu-latest'
      name: Initialize dependencies (ensure NUT 2.8.0+)
      run: |
        GITVER=''
        case "${{matrix.nutsrc}}" in
            "pkg280")
                case "`pkg-config --modversion libupsclient | tee -a /dev/stderr`" in
                    [01].*|2.[01234567].*)
                        echo "WARNING: System-packaged NUT seems too old, will build dev profile from scratch" >&2
                        GITVER='v2.8.0'
                        ;;
                esac ;;
            "trunk") GITVER="master" ;;
        esac
        if [ x"$GITVER" != x ] ; then
                PATH="/usr/lib/ccache:$PATH" ; export PATH
                set -e    ### abort on any non-zero exit code below
                ### Follow nut::docs/config-prereqs.txt chapter for Debian/Ubuntu
                ### to be sure, with a minimal set of third-party dependencies for
                ### a faster and practically useless build. Most or all of these
                ### are pre-installed in the image or by the above init, so there
                ### is little run-time impact of the APT operation here normally;
                ### these explicit installations help bolt down some auto-deps so
                ### they are surely not "apt-get remove"'d with the operation below:
                sudo apt-get install build-essential git python3 perl curl make autoconf automake libtool pkg-config gcc ### g++ libltdl-dev python-is-python3
                git clone -b "$GITVER" -o upstream https://github.com/networkupstools/nut
                cd nut
                ./autogen.sh
                ./configure ${{matrix.compiler}} --prefix=/usr --sysconfdir=/etc --with-user=nut --with-group=nut --with-dev --without-all --without-docs --without-nut-scanner --enable-silent-rules
                make -j 8 -s
                sudo apt-get remove libupsclient-dev    ### avoid conflicts/confusion just in case
                sudo apt-get remove libupsclient4 || true
                sudo make -s install    ### overwrite system packaged files as too old
                echo "=== Checking NUT libupsclient version seen by pkg-config:"
                pkg-config --modversion libupsclient
        fi

    # Initializes the CodeQL tools for scanning.
    - name: Initialize CodeQL
      uses: github/codeql-action/init@v3
      with:
        languages: ${{ matrix.language }}
        build-mode: ${{ matrix.build-mode }}
        # If you wish to specify custom queries, you can do so here or in a config file.
        # By default, queries listed here will override any specified in a config file.
        # Prefix the (whole) list here with "+" to use these queries and those in the config file.
        # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
        queries: +security-extended,security-and-quality

    # Autobuild attempts to build any compiled languages  (C/C++, C#, Go, or Java).
    # If this step fails, then you should remove it and run the build manually (see below)
    # https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages
    - if: matrix.build-mode == 'autobuild'
      name: Autobuild
      uses: github/codeql-action/autobuild@v3
      env:
        ### Avoid installing obsolete libupsclient-dev
        CODEQL_EXTRACTOR_CPP_AUTOINSTALL_DEPENDENCIES: false

    - if: matrix.build-mode != 'autobuild' && matrix.language == 'cpp'
      name: WMNut CI Build Configuration
      run: |
        case x"${{matrix.build-mode}}" in
        xmanual)
            PATH="/usr/lib/ccache:$PATH" ; export PATH
            CCACHE_COMPRESS=true; export CCACHE_COMPRESS
            ccache --version || true
            ;;
        xnone|*)
            echo "NOTE: NOT USING CCACHE for the CI-tested code base configuration" >&2
            ;;
        esac
        ( ${{matrix.compiler}} ; echo "=== CC: $CC => `command -v $CC` =>" ; $CC --version ; echo "=== CXX: $CXX => `command -v $CXX` =>" ; $CXX --version ) || true
        ./autogen.sh && \
        ./configure ${{matrix.compiler}} --enable-debug --enable-Werror

    # NOTE: We do not add ccache to PATH here, so compilation always happens
    # and is parsed by current CodeQL detectors of the day as they evolve:
    - if: matrix.build-mode != 'autobuild' && matrix.language == 'cpp'
      name: WMNut CI Build Compilation
      run: |
        echo "NOTE: NOT USING CCACHE for the CI-tested code base compilation" >&2
        ( ${{matrix.compiler}} ; echo "=== CC: $CC => `command -v $CC` =>" ; $CC --version ; echo "=== CXX: $CXX => `command -v $CXX` =>" ; $CXX --version ) || true
        make -s -j 8 || exit

    - if: matrix.build-mode != 'autobuild' && matrix.language == 'cpp'
      name: WMNut CI Check
      run: make -s -j 8 check || exit

    - name: CCache stats after build
      run: ccache -sv || ccache -s || echo "FAILED to read ccache info, oh well"

    - name: Perform CodeQL Analysis
      uses: github/codeql-action/analyze@v3
      with:
        category: "/language:${{matrix.language}}"