additional changes. also split languages into two jobs #1064
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CodeQL (daily) | |
| on: | |
| schedule: | |
| - cron: '30 1 * * *' | |
| workflow_dispatch: | |
| push: | |
| branches: | |
| - '**' | |
| jobs: | |
| # ===== Java Analysis Job ===== | |
| analyze-java: | |
| name: "Analyze Java Code" | |
| permissions: | |
| actions: read | |
| security-events: write | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up Java 17 | |
| uses: actions/setup-java@v4 | |
| with: | |
| distribution: temurin | |
| java-version: 17 | |
| - name: Setup Gradle | |
| uses: gradle/actions/setup-gradle@v4 | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/init@v3 | |
| with: | |
| languages: java | |
| debug: true | |
| - name: Build Java code | |
| run: ./gradlew assemble --no-build-cache | |
| # Skip build cache for full code analysis | |
| - name: Perform CodeQL analysis | |
| uses: github/codeql-action/analyze@v3 | |
| with: | |
| category: java | |
| # ===== C++ Analysis Job ===== | |
| analyze-cpp: | |
| name: "Analyze C++ Code" | |
| permissions: | |
| actions: read | |
| security-events: write | |
| runs-on: windows-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up Java 17 (required for JNI compilation) | |
| uses: actions/setup-java@v4 | |
| with: | |
| distribution: temurin | |
| java-version: 17 | |
| - name: Setup Visual Studio Build Tools | |
| uses: microsoft/setup-msbuild@v1 | |
| - name: Set up Windows SDK | |
| uses: ilammy/msvc-dev-cmd@v1 | |
| - name: Setup Gradle | |
| uses: gradle/actions/setup-gradle@v4 | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/init@v3 | |
| with: | |
| languages: cpp | |
| debug: true | |
| config-file: .github/codeql-config.yml | |
| - name: Build C++ code | |
| shell: powershell | |
| id: build-cpp | |
| run: | | |
| # Configure environment for C++ build | |
| $winSdkPath = (Get-ChildItem "C:\Program Files (x86)\Windows Kits\10\include" | Select-Object -Last 1).FullName | |
| Write-Host "Using Windows SDK from path: $winSdkPath" | |
| # Set environment variables | |
| $env:APPINSIGHTS_WIN10_SDK_PATH = "C:\Program Files (x86)\Windows Kits\10" | |
| $env:APPINSIGHTS_VS_PATH = $env:VsInstallRoot | |
| $env:JAVA_HOME = $env:JAVA_HOME_17_X64 | |
| Write-Host "APPINSIGHTS_WIN10_SDK_PATH: $env:APPINSIGHTS_WIN10_SDK_PATH" | |
| Write-Host "APPINSIGHTS_VS_PATH: $env:APPINSIGHTS_VS_PATH" | |
| Write-Host "JAVA_HOME: $env:JAVA_HOME" | |
| # Build the native code | |
| try { | |
| ./gradlew "-Dai.etw.native.build=release" :etw:native:build --info | |
| echo "CPP_BUILD_SUCCEEDED=true" | Out-File -FilePath $env:GITHUB_ENV -Append | |
| } catch { | |
| Write-Host "Native C++ build failed with error: $_" | |
| # Ensure CodeQL can still scan the files by touching them | |
| Get-ChildItem -Path "etw/native/src" -Recurse -Filter "*.cpp" | Foreach-Object { | |
| Write-Host "Touching file: $($_.FullName)" | |
| (Get-Item $_.FullName).LastWriteTime = Get-Date | |
| } | |
| echo "CPP_BUILD_SUCCEEDED=false" | Out-File -FilePath $env:GITHUB_ENV -Append | |
| } | |
| - name: Perform CodeQL analysis | |
| uses: github/codeql-action/analyze@v3 | |
| with: | |
| category: cpp | |
| - name: Report C++ build status | |
| if: env.CPP_BUILD_SUCCEEDED == 'false' | |
| run: | | |
| echo "::warning::C++ build failed but CodeQL scan was attempted anyway. Some C++ issues may not be detected." | |
| scheduled-job-notification: | |
| permissions: | |
| issues: write | |
| needs: | |
| - analyze-java | |
| - analyze-cpp | |
| if: always() | |
| uses: ./.github/workflows/reusable-scheduled-job-notification.yml | |
| with: | |
| success: ${{ needs.analyze-java.result == 'success' && needs.analyze-cpp.result == 'success' }} |