From eb16f081708c2b408f4015df2b618322eb198cfb Mon Sep 17 00:00:00 2001 From: jacob-ronstadt Date: Fri, 14 Mar 2025 09:51:52 -0700 Subject: [PATCH 1/7] update workflow files to split codeql analysis for push and PR --- .github/workflows/Code-Scanning-pr.yml | 65 ++++++++++++++++++++++++++ .github/workflows/Code-Scanning.yml | 8 ---- 2 files changed, 65 insertions(+), 8 deletions(-) create mode 100644 .github/workflows/Code-Scanning-pr.yml diff --git a/.github/workflows/Code-Scanning-pr.yml b/.github/workflows/Code-Scanning-pr.yml new file mode 100644 index 000000000..a187b47ad --- /dev/null +++ b/.github/workflows/Code-Scanning-pr.yml @@ -0,0 +1,65 @@ +# This workflow runs the latest CodeQL CLI and checks against CodeQL's Cpp library. +# This is the source for the GitHub Security Code Scanning job. + +name: "CodeQL Analysis PR" + +on: + pull_request: + # The branches below must be a subset of the branches above + branches: + - main + - develop + paths-ignore: + - '**.md' + - 'LICENSE' + + # Allow manual scheduling + workflow_dispatch: + +jobs: + analyze: + name: Analysis + runs-on: windows-latest + permissions: + actions: read + contents: read + security-events: write + + strategy: + fail-fast: false + matrix: + include: + - language: c-cpp + build-mode: manual + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + with: + submodules: 'recursive' + - name: Install Nuget Packages + run: nuget restore .\packages.config -PackagesDirectory .\packages\ + - name: Get changed files + id: get-changed-files + uses: tj-actions/changed-files@v41 + with: + separator: "," + + + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: ${{ matrix.language }} + build-mode: ${{ matrix.build-mode }} + config-file: microsoft/Windows-Driver-Developer-Supplemental-Tools/config/codeql-config.yml@development + packs: +microsoft/windows-drivers@1.2.0-beta + + - if: matrix.build-mode == 'manual' + run: | + $changedFiles = "${{ steps.get-changed-files.outputs.all_changed_files }}".Split(',') + .\.github\scripts\Build-ChangedSamples.ps1 -ChangedFiles $changedFiles -Verbose + + - name: Perform CodeQL analysis + uses: github/codeql-action/analyze@v3 + with: + category: "/language:${{matrix.language}}" diff --git a/.github/workflows/Code-Scanning.yml b/.github/workflows/Code-Scanning.yml index 72e9c32c0..cc8a16d6a 100644 --- a/.github/workflows/Code-Scanning.yml +++ b/.github/workflows/Code-Scanning.yml @@ -11,14 +11,6 @@ on: paths-ignore: - '**.md' - 'LICENSE' - pull_request: - # The branches below must be a subset of the branches above - branches: - - main - - develop - paths-ignore: - - '**.md' - - 'LICENSE' # Allow manual scheduling workflow_dispatch: From d69205126f62ad44af4c5e3b64f1f14637116ea2 Mon Sep 17 00:00:00 2001 From: jacob-ronstadt Date: Fri, 14 Mar 2025 10:10:15 -0700 Subject: [PATCH 2/7] test changing a file --- tools/sdv/samples/SDV-FailDriver-WDM/driver/fail_driver1.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/sdv/samples/SDV-FailDriver-WDM/driver/fail_driver1.c b/tools/sdv/samples/SDV-FailDriver-WDM/driver/fail_driver1.c index 03087d9f3..df3086392 100644 --- a/tools/sdv/samples/SDV-FailDriver-WDM/driver/fail_driver1.c +++ b/tools/sdv/samples/SDV-FailDriver-WDM/driver/fail_driver1.c @@ -33,7 +33,7 @@ Module Name: #pragma alloc_text (PAGE, DispatchPnp) #pragma alloc_text (PAGE, DriverUnload) #endif - +// test changing file for workflow update NTSTATUS DriverEntry( _In_ PDRIVER_OBJECT DriverObject, From 04eb2c34aac69545b56ff86b6d642e453bde89f0 Mon Sep 17 00:00:00 2001 From: jacob-ronstadt Date: Fri, 14 Mar 2025 10:22:13 -0700 Subject: [PATCH 3/7] remove build all option in script for testing. --- .github/scripts/Build-ChangedSamples.ps1 | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/scripts/Build-ChangedSamples.ps1 b/.github/scripts/Build-ChangedSamples.ps1 index bdaee943c..90185cf96 100644 --- a/.github/scripts/Build-ChangedSamples.ps1 +++ b/.github/scripts/Build-ChangedSamples.ps1 @@ -25,12 +25,12 @@ foreach ($file in $ChangedFiles) { if ($filename -eq "Build-AllSamples.ps1" -or $filename -eq "Build-Sample.ps1" -or $filename -eq "Build-SampleSet.ps1" -or $filename -eq "exclusions.csv" -or $filename -eq "Directory.Build.props" -or $filename -eq "packages.config") { $buildAll = $true } - if ($dir -like "$root\.github\scripts" -or $dir -like "$root\.github\scripts\*") { - $buildAll = $true - } - if ($dir -like "$root\.github\workflows" -or $dir -like "$root\.github\workflows\*") { - $buildAll = $true - } + # if ($dir -like "$root\.github\scripts" -or $dir -like "$root\.github\scripts\*") { + # $buildAll = $true + # } + # if ($dir -like "$root\.github\workflows" -or $dir -like "$root\.github\workflows\*") { + # $buildAll = $true + # } // Testing. Uncomment this when done if ($buildAll) { Write-Verbose "`u{2754} Full build triggered by change in file $file" From 0d67fae8dd54d5fc394c4672267ed9ce6150a120 Mon Sep 17 00:00:00 2001 From: jacob-ronstadt Date: Fri, 14 Mar 2025 10:31:50 -0700 Subject: [PATCH 4/7] Revert "remove build all option in script for testing." This reverts commit 04eb2c34aac69545b56ff86b6d642e453bde89f0. --- .github/scripts/Build-ChangedSamples.ps1 | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/scripts/Build-ChangedSamples.ps1 b/.github/scripts/Build-ChangedSamples.ps1 index 90185cf96..bdaee943c 100644 --- a/.github/scripts/Build-ChangedSamples.ps1 +++ b/.github/scripts/Build-ChangedSamples.ps1 @@ -25,12 +25,12 @@ foreach ($file in $ChangedFiles) { if ($filename -eq "Build-AllSamples.ps1" -or $filename -eq "Build-Sample.ps1" -or $filename -eq "Build-SampleSet.ps1" -or $filename -eq "exclusions.csv" -or $filename -eq "Directory.Build.props" -or $filename -eq "packages.config") { $buildAll = $true } - # if ($dir -like "$root\.github\scripts" -or $dir -like "$root\.github\scripts\*") { - # $buildAll = $true - # } - # if ($dir -like "$root\.github\workflows" -or $dir -like "$root\.github\workflows\*") { - # $buildAll = $true - # } // Testing. Uncomment this when done + if ($dir -like "$root\.github\scripts" -or $dir -like "$root\.github\scripts\*") { + $buildAll = $true + } + if ($dir -like "$root\.github\workflows" -or $dir -like "$root\.github\workflows\*") { + $buildAll = $true + } if ($buildAll) { Write-Verbose "`u{2754} Full build triggered by change in file $file" From 60f428a161aa308b78e97427af9ca0d5bf8523f5 Mon Sep 17 00:00:00 2001 From: jacob-ronstadt Date: Fri, 14 Mar 2025 10:31:59 -0700 Subject: [PATCH 5/7] Revert "test changing a file" This reverts commit d69205126f62ad44af4c5e3b64f1f14637116ea2. --- tools/sdv/samples/SDV-FailDriver-WDM/driver/fail_driver1.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/sdv/samples/SDV-FailDriver-WDM/driver/fail_driver1.c b/tools/sdv/samples/SDV-FailDriver-WDM/driver/fail_driver1.c index df3086392..03087d9f3 100644 --- a/tools/sdv/samples/SDV-FailDriver-WDM/driver/fail_driver1.c +++ b/tools/sdv/samples/SDV-FailDriver-WDM/driver/fail_driver1.c @@ -33,7 +33,7 @@ Module Name: #pragma alloc_text (PAGE, DispatchPnp) #pragma alloc_text (PAGE, DriverUnload) #endif -// test changing file for workflow update + NTSTATUS DriverEntry( _In_ PDRIVER_OBJECT DriverObject, From 4407d197f25c578be0a03e3347bc8a1054d70951 Mon Sep 17 00:00:00 2001 From: jacob-ronstadt Date: Fri, 14 Mar 2025 12:31:02 -0700 Subject: [PATCH 6/7] combine pr and push analysis files to remove warning about not having on.push trigger. include script changes and file change for testing --- .github/scripts/Build-ChangedSamples.ps1 | 12 ++-- .github/workflows/Code-Scanning-pr.yml | 65 ------------------- .github/workflows/Code-Scanning.yml | 56 +++++++++++++++- .../SDV-FailDriver-WDM/driver/fail_driver1.c | 2 +- 4 files changed, 61 insertions(+), 74 deletions(-) delete mode 100644 .github/workflows/Code-Scanning-pr.yml diff --git a/.github/scripts/Build-ChangedSamples.ps1 b/.github/scripts/Build-ChangedSamples.ps1 index bdaee943c..90185cf96 100644 --- a/.github/scripts/Build-ChangedSamples.ps1 +++ b/.github/scripts/Build-ChangedSamples.ps1 @@ -25,12 +25,12 @@ foreach ($file in $ChangedFiles) { if ($filename -eq "Build-AllSamples.ps1" -or $filename -eq "Build-Sample.ps1" -or $filename -eq "Build-SampleSet.ps1" -or $filename -eq "exclusions.csv" -or $filename -eq "Directory.Build.props" -or $filename -eq "packages.config") { $buildAll = $true } - if ($dir -like "$root\.github\scripts" -or $dir -like "$root\.github\scripts\*") { - $buildAll = $true - } - if ($dir -like "$root\.github\workflows" -or $dir -like "$root\.github\workflows\*") { - $buildAll = $true - } + # if ($dir -like "$root\.github\scripts" -or $dir -like "$root\.github\scripts\*") { + # $buildAll = $true + # } + # if ($dir -like "$root\.github\workflows" -or $dir -like "$root\.github\workflows\*") { + # $buildAll = $true + # } // Testing. Uncomment this when done if ($buildAll) { Write-Verbose "`u{2754} Full build triggered by change in file $file" diff --git a/.github/workflows/Code-Scanning-pr.yml b/.github/workflows/Code-Scanning-pr.yml deleted file mode 100644 index a187b47ad..000000000 --- a/.github/workflows/Code-Scanning-pr.yml +++ /dev/null @@ -1,65 +0,0 @@ -# This workflow runs the latest CodeQL CLI and checks against CodeQL's Cpp library. -# This is the source for the GitHub Security Code Scanning job. - -name: "CodeQL Analysis PR" - -on: - pull_request: - # The branches below must be a subset of the branches above - branches: - - main - - develop - paths-ignore: - - '**.md' - - 'LICENSE' - - # Allow manual scheduling - workflow_dispatch: - -jobs: - analyze: - name: Analysis - runs-on: windows-latest - permissions: - actions: read - contents: read - security-events: write - - strategy: - fail-fast: false - matrix: - include: - - language: c-cpp - build-mode: manual - - steps: - - name: Checkout repository - uses: actions/checkout@v4 - with: - submodules: 'recursive' - - name: Install Nuget Packages - run: nuget restore .\packages.config -PackagesDirectory .\packages\ - - name: Get changed files - id: get-changed-files - uses: tj-actions/changed-files@v41 - with: - separator: "," - - - - name: Initialize CodeQL - uses: github/codeql-action/init@v3 - with: - languages: ${{ matrix.language }} - build-mode: ${{ matrix.build-mode }} - config-file: microsoft/Windows-Driver-Developer-Supplemental-Tools/config/codeql-config.yml@development - packs: +microsoft/windows-drivers@1.2.0-beta - - - if: matrix.build-mode == 'manual' - run: | - $changedFiles = "${{ steps.get-changed-files.outputs.all_changed_files }}".Split(',') - .\.github\scripts\Build-ChangedSamples.ps1 -ChangedFiles $changedFiles -Verbose - - - name: Perform CodeQL analysis - uses: github/codeql-action/analyze@v3 - with: - category: "/language:${{matrix.language}}" diff --git a/.github/workflows/Code-Scanning.yml b/.github/workflows/Code-Scanning.yml index cc8a16d6a..e843271fe 100644 --- a/.github/workflows/Code-Scanning.yml +++ b/.github/workflows/Code-Scanning.yml @@ -11,13 +11,22 @@ on: paths-ignore: - '**.md' - 'LICENSE' + pull_request: + # The branches below must be a subset of the branches above + branches: + - main + - develop + paths-ignore: + - '**.md' + - 'LICENSE' # Allow manual scheduling workflow_dispatch: jobs: - analyze: - name: Analysis + analyze-push: + name: Analysis-Push + if: github.event_name == 'push' runs-on: windows-latest permissions: actions: read @@ -54,3 +63,46 @@ jobs: uses: github/codeql-action/analyze@v3 with: category: "/language:${{matrix.language}}" + analyze-pr: + name: Analysis-PR + if: github.event_name == 'pull_request' + runs-on: windows-latest + permissions: + actions: read + contents: read + security-events: write + + strategy: + fail-fast: false + matrix: + include: + - language: c-cpp + build-mode: manual + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + with: + submodules: 'recursive' + - name: Install Nuget Packages + run: nuget restore .\packages.config -PackagesDirectory .\packages\ + - name: Get changed files + id: get-changed-files + uses: tj-actions/changed-files@v41 + with: + separator: "," + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: ${{ matrix.language }} + build-mode: ${{ matrix.build-mode }} + config-file: microsoft/Windows-Driver-Developer-Supplemental-Tools/config/codeql-config.yml@development + packs: +microsoft/windows-drivers@1.2.0-beta + - if: matrix.build-mode == 'manual' + run: | + $changedFiles = "${{ steps.get-changed-files.outputs.all_changed_files }}".Split(',') + .\.github\scripts\Build-ChangedSamples.ps1 -ChangedFiles $changedFiles -Verbose + - name: Perform CodeQL analysis + uses: github/codeql-action/analyze@v3 + with: + category: "/language:${{matrix.language}}" \ No newline at end of file diff --git a/tools/sdv/samples/SDV-FailDriver-WDM/driver/fail_driver1.c b/tools/sdv/samples/SDV-FailDriver-WDM/driver/fail_driver1.c index 03087d9f3..df3086392 100644 --- a/tools/sdv/samples/SDV-FailDriver-WDM/driver/fail_driver1.c +++ b/tools/sdv/samples/SDV-FailDriver-WDM/driver/fail_driver1.c @@ -33,7 +33,7 @@ Module Name: #pragma alloc_text (PAGE, DispatchPnp) #pragma alloc_text (PAGE, DriverUnload) #endif - +// test changing file for workflow update NTSTATUS DriverEntry( _In_ PDRIVER_OBJECT DriverObject, From 32ab64d3116c6d97d79f1a76b988a3ff5e4858d4 Mon Sep 17 00:00:00 2001 From: jacob-ronstadt Date: Fri, 14 Mar 2025 12:34:26 -0700 Subject: [PATCH 7/7] remove test changes --- .github/scripts/Build-ChangedSamples.ps1 | 12 ++++++------ .../samples/SDV-FailDriver-WDM/driver/fail_driver1.c | 2 +- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/scripts/Build-ChangedSamples.ps1 b/.github/scripts/Build-ChangedSamples.ps1 index 90185cf96..bdaee943c 100644 --- a/.github/scripts/Build-ChangedSamples.ps1 +++ b/.github/scripts/Build-ChangedSamples.ps1 @@ -25,12 +25,12 @@ foreach ($file in $ChangedFiles) { if ($filename -eq "Build-AllSamples.ps1" -or $filename -eq "Build-Sample.ps1" -or $filename -eq "Build-SampleSet.ps1" -or $filename -eq "exclusions.csv" -or $filename -eq "Directory.Build.props" -or $filename -eq "packages.config") { $buildAll = $true } - # if ($dir -like "$root\.github\scripts" -or $dir -like "$root\.github\scripts\*") { - # $buildAll = $true - # } - # if ($dir -like "$root\.github\workflows" -or $dir -like "$root\.github\workflows\*") { - # $buildAll = $true - # } // Testing. Uncomment this when done + if ($dir -like "$root\.github\scripts" -or $dir -like "$root\.github\scripts\*") { + $buildAll = $true + } + if ($dir -like "$root\.github\workflows" -or $dir -like "$root\.github\workflows\*") { + $buildAll = $true + } if ($buildAll) { Write-Verbose "`u{2754} Full build triggered by change in file $file" diff --git a/tools/sdv/samples/SDV-FailDriver-WDM/driver/fail_driver1.c b/tools/sdv/samples/SDV-FailDriver-WDM/driver/fail_driver1.c index df3086392..03087d9f3 100644 --- a/tools/sdv/samples/SDV-FailDriver-WDM/driver/fail_driver1.c +++ b/tools/sdv/samples/SDV-FailDriver-WDM/driver/fail_driver1.c @@ -33,7 +33,7 @@ Module Name: #pragma alloc_text (PAGE, DispatchPnp) #pragma alloc_text (PAGE, DriverUnload) #endif -// test changing file for workflow update + NTSTATUS DriverEntry( _In_ PDRIVER_OBJECT DriverObject,