diff --git a/.github/workflows/Code-Scanning.yml b/.github/workflows/Code-Scanning.yml index 72e9c32c0..e843271fe 100644 --- a/.github/workflows/Code-Scanning.yml +++ b/.github/workflows/Code-Scanning.yml @@ -24,8 +24,9 @@ on: workflow_dispatch: jobs: - analyze: - name: Analysis + analyze-push: + name: Analysis-Push + if: github.event_name == 'push' runs-on: windows-latest permissions: actions: read @@ -62,3 +63,46 @@ jobs: uses: github/codeql-action/analyze@v3 with: category: "/language:${{matrix.language}}" + analyze-pr: + name: Analysis-PR + if: github.event_name == 'pull_request' + runs-on: windows-latest + permissions: + actions: read + contents: read + security-events: write + + strategy: + fail-fast: false + matrix: + include: + - language: c-cpp + build-mode: manual + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + with: + submodules: 'recursive' + - name: Install Nuget Packages + run: nuget restore .\packages.config -PackagesDirectory .\packages\ + - name: Get changed files + id: get-changed-files + uses: tj-actions/changed-files@v41 + with: + separator: "," + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: ${{ matrix.language }} + build-mode: ${{ matrix.build-mode }} + config-file: microsoft/Windows-Driver-Developer-Supplemental-Tools/config/codeql-config.yml@development + packs: +microsoft/windows-drivers@1.2.0-beta + - if: matrix.build-mode == 'manual' + run: | + $changedFiles = "${{ steps.get-changed-files.outputs.all_changed_files }}".Split(',') + .\.github\scripts\Build-ChangedSamples.ps1 -ChangedFiles $changedFiles -Verbose + - name: Perform CodeQL analysis + uses: github/codeql-action/analyze@v3 + with: + category: "/language:${{matrix.language}}" \ No newline at end of file