1+ name : " Compile all queries using the latest stable CodeQL CLI"
2+
3+ on :
4+ push :
5+ branches : [main] # makes sure the cache gets populated
6+ pull_request :
7+ branches :
8+ - main
9+ - " rc/*"
10+
11+ jobs :
12+ compile-queries :
13+ runs-on : ubuntu-latest-xl
14+
15+ steps :
16+ - uses : actions/checkout@v3
17+ with :
18+ fetch-depth : 0
19+ # calculate the merge-base with main, in a way that works both on PRs and pushes to main.
20+ - name : Calculate merge-base
21+ id : merge-base
22+ env :
23+ BASE_BRANCH : ${{ github.base_ref }}
24+ run : |
25+ MERGE_BASE=$(git merge-base --fork-point origin/$BASE_BRANCH)
26+ echo "merge-base=$MERGE_BASE" >> $GITHUB_ENV
27+ name : Cache CodeQL query compilation
28+ uses : actions/cache@v3
29+ with :
30+ path : ' */ql/src/.cache'
31+ # current GH HEAD first, merge-base second, generic third
32+ key : codeql-stable-compile-${{ github.sha }}
33+ restore-keys : |
34+ codeql-stable-compile-${{ env.merge-base }}
35+ codeql-stable-compile-
36+ name : install codeql
37+ run : gh extension install github/gh-codeql
38+ env :
39+ GH_TOKEN : ${{ secrets.GITHUB_TOKEN }}
40+ - name : check formatting
41+ run : gh codeql query format */ql/{src,lib,test}/**/*.{qll,ql} --check-only
42+ env :
43+ GH_TOKEN : ${{ secrets.GITHUB_TOKEN }}
44+ - name : compile queries - check-only
45+ # run with --check-only if running in a PR (github.sha != main)
46+ if : ${{ github.sha != steps.merge-base.outputs.merge-base }}
47+ shell : bash
48+ run : gh codeql query compile -j0 */ql/src --keep-going --warnings=error --check-only
49+ env :
50+ GH_TOKEN : ${{ secrets.GITHUB_TOKEN }}
51+ - name : compile queries - full
52+ # do full compile if running on main - this populates the cache
53+ if : ${{ github.sha == steps.merge-base.outputs.merge-base }}
54+ shell : bash
55+ run : gh codeql query compile -j0 */ql/src --keep-going --warnings=error
56+ env :
57+ GH_TOKEN : ${{ secrets.GITHUB_TOKEN }}
0 commit comments