additional changes. also split languages into two jobs

Timothy Mothra Lee (from Dev Box) · Timothy Mothra Lee (from Dev Box) · commit 259bc8106659 · 2025-05-01T16:27:51.000-07:00
diff --git a/.github/codeql-config.yml b/.github/codeql-config.yml
@@ -0,0 +1,9 @@
+paths:
+  - etw/native/src
+paths-ignore:
+  - '**/node_modules/**'
+  - '**/build/**'
+  - '**/dist/**'
+  - '**/vendor/**'
+  - '**/test/**'
+  - '**/tests/**'
diff --git a/.github/workflows/codeql-daily.yml b/.github/workflows/codeql-daily.yml
@@ -9,66 +9,122 @@ on:
       - '**'
 
 jobs:
-  analyze:
+  # ===== Java Analysis Job =====
+  analyze-java:
+    name: "Analyze Java Code"
     permissions:
-      actions: read  # for github/codeql-action/init to get workflow details
-      security-events: write  # for github/codeql-action/analyze to upload SARIF results
-    runs-on: windows-latest
-
+      actions: read
+      security-events: write
+    runs-on: ubuntu-latest
+    
     steps:
       - uses: actions/checkout@v4
 
-      - name: Setup Visual Studio Build Tools
-        uses: microsoft/setup-msbuild@v1
-
-      - name: Set up Windows SDK
-        uses: ilammy/msvc-dev-cmd@v1
-
       - name: Set up Java 17
         uses: actions/setup-java@v4
         with:
           distribution: temurin
           java-version: 17
 
+      - name: Setup Gradle
+        uses: gradle/actions/setup-gradle@v4
+
       - name: Initialize CodeQL
         uses: github/codeql-action/init@v3
         with:
-          languages: java, c-cpp
+          languages: java
           debug: true
 
+      - name: Build Java code
+        run: ./gradlew assemble --no-build-cache
+        # Skip build cache for full code analysis
+
+      - name: Perform CodeQL analysis
+        uses: github/codeql-action/analyze@v3
+        with:
+          category: java
+
+  # ===== C++ Analysis Job =====
+  analyze-cpp:
+    name: "Analyze C++ Code"
+    permissions:
+      actions: read
+      security-events: write
+    runs-on: windows-latest
+    
+    steps:
+      - uses: actions/checkout@v4
+      
+      - name: Set up Java 17 (required for JNI compilation)
+        uses: actions/setup-java@v4
+        with:
+          distribution: temurin
+          java-version: 17
+
+      - name: Setup Visual Studio Build Tools
+        uses: microsoft/setup-msbuild@v1
+      
+      - name: Set up Windows SDK
+        uses: ilammy/msvc-dev-cmd@v1
+
       - name: Setup Gradle
         uses: gradle/actions/setup-gradle@v4
 
-      - name: Build native C++ code (Windows-specific)
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: cpp
+          debug: true
+          config-file: .github/codeql-config.yml
+
+      - name: Build C++ code
         shell: powershell
+        id: build-cpp
         run: |
-          # Find the Windows SDK path and use it
+          # Configure environment for C++ build
           $winSdkPath = (Get-ChildItem "C:\Program Files (x86)\Windows Kits\10\include" | Select-Object -Last 1).FullName
           Write-Host "Using Windows SDK from path: $winSdkPath"
           
-          # Set environment variables for Windows SDK and Visual Studio
+          # Set environment variables
           $env:APPINSIGHTS_WIN10_SDK_PATH = "C:\Program Files (x86)\Windows Kits\10"
           $env:APPINSIGHTS_VS_PATH = $env:VsInstallRoot
+          $env:JAVA_HOME = $env:JAVA_HOME_17_X64
           
-          # Log environment for debugging
           Write-Host "APPINSIGHTS_WIN10_SDK_PATH: $env:APPINSIGHTS_WIN10_SDK_PATH"
           Write-Host "APPINSIGHTS_VS_PATH: $env:APPINSIGHTS_VS_PATH"
+          Write-Host "JAVA_HOME: $env:JAVA_HOME"
           
-          ./gradlew "-Dai.etw.native.build=release" :etw:native:build --info
-
-      - name: Assemble
-        # skipping build cache is needed so that all modules will be analyzed
-        run: ./gradlew assemble --no-build-cache
+          # Build the native code
+          try {
+            ./gradlew "-Dai.etw.native.build=release" :etw:native:build --info
+            echo "CPP_BUILD_SUCCEEDED=true" | Out-File -FilePath $env:GITHUB_ENV -Append
+          } catch {
+            Write-Host "Native C++ build failed with error: $_"
+            # Ensure CodeQL can still scan the files by touching them
+            Get-ChildItem -Path "etw/native/src" -Recurse -Filter "*.cpp" | Foreach-Object {
+              Write-Host "Touching file: $($_.FullName)"
+              (Get-Item $_.FullName).LastWriteTime = Get-Date
+            }
+            echo "CPP_BUILD_SUCCEEDED=false" | Out-File -FilePath $env:GITHUB_ENV -Append
+          }
 
       - name: Perform CodeQL analysis
         uses: github/codeql-action/analyze@v3
+        with:
+          category: cpp
+
+      - name: Report C++ build status
+        if: env.CPP_BUILD_SUCCEEDED == 'false'
+        run: |
+          echo "::warning::C++ build failed but CodeQL scan was attempted anyway. Some C++ issues may not be detected."
 
   scheduled-job-notification:
     permissions:
       issues: write
     needs:
-      - analyze
+      - analyze-java
+      - analyze-cpp
     if: always()
     uses: ./.github/workflows/reusable-scheduled-job-notification.yml
     with:
-      success: ${{ needs.analyze.result == 'success' }}
+      success: ${{ needs.analyze-java.result == 'success' && needs.analyze-cpp.result == 'success' }}
