Update codeql-analysis.yml for Gradle

purejava · web-flow · commit ea40811ec7d9 · 2025-01-08T11:29:32.000+01:00
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -8,30 +8,100 @@ on:
   schedule:
     - cron: '34 10 * * 4'
 
+permissions: {}
+
 jobs:
-  analyse:
-    name: Analyse
+  CodeQL-Build:
+    permissions:
+      actions: read  # for github/codeql-action/init to get workflow details
+      contents: read  # for actions/checkout to fetch code
+      security-events: write  # for github/codeql-action/analyze to upload SARIF results
     runs-on: ubuntu-latest
-    if: "!contains(github.event.head_commit.message, '[ci skip]') && !contains(github.event.head_commit.message, '[skip ci]')"
+
+    strategy:
+      fail-fast: false
+      matrix:
+        # Override automatic language detection by changing the below list
+        # Supported options are ['csharp', 'cpp', 'go', 'java', 'javascript', 'python']
+        language: ['java', 'javascript']
+        # Learn more...
+        # https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#overriding-automatic-language-detection
+
     steps:
-      - uses: actions/checkout@v4
-        with:
-          fetch-depth: 2
-      - uses: actions/setup-java@v4
-        with:
-          distribution: 'temurin'
-          java-version: '17'
-      - uses: actions/cache@v4
-        with:
-          path: ~/.m2/repository
-          key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
-          restore-keys: |
-            ${{ runner.os }}-maven-
-      - name: Initialize CodeQL
-        uses: github/codeql-action/init@v3
-        with:
-          languages: java
-      - name: Build
-        run: mvn -B compile
-      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v3
+    - name: Checkout repository
+      uses: actions/checkout@v4
+      # Checkout must run before the caching key is computed using the `hashFiles` method
+
+    - name: Cache Gradle Modules
+      uses: actions/cache@v4
+      with:
+        path: |
+          ~/.gradle/caches/modules-2/
+          ~/.gradle/caches/build-cache-1/
+          ~/.gradle/caches/signatures/
+          ~/.gradle/caches/keyrings/
+        key: ${{ runner.os }}-gradle-cache-${{ hashFiles('gradle/wrapper/gradle-wrapper.properties') }}
+        if: ${{ matrix.language == 'java' }}
+
+    - name: Disable checksum offloading
+      # See: https://github.com/actions/virtual-environments/issues/1187#issuecomment-686735760
+      run: sudo ethtool -K eth0 tx off rx off
+
+    # Install and setup JDK 17
+    - name: Setup JDK 17
+      uses: actions/setup-java@v4
+      with:
+        distribution: temurin
+        java-version: 17
+
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v3
+      with:
+        languages: ${{ matrix.language }}
+        tools: latest
+        # If you wish to specify custom queries, you can do so here or in a config file.
+        # By default, queries listed here will override any specified in a config file.
+        # Prefix the list here with "+" to use these queries and those in the config file.
+        # queries: ./path/to/local/query, your-org/your-repo/queries@main
+
+    - name: Compile with Gradle with Build Scan
+      if: ${{ matrix.language == 'java' && github.repository_owner == 'gradle' }}
+      run: ./gradlew --init-script .github/workflows/codeql-analysis.init.gradle -DcacheNode=us -S testClasses -Dhttp.keepAlive=false
+      env:
+        # Set the DEVELOCITY_ACCESS_KEY so that Gradle Build Scans are generated
+        DEVELOCITY_ACCESS_KEY: ${{ secrets.DEVELOCITY_ACCESS_KEY }}
+        # Potential stop-gap solution for ReadTimeout issues with the Gradle Build Cache
+        # https://gradle.slack.com/archives/CHDLT99C6/p1636477584059200
+        GRADLE_OPTS: -Dhttp.keepAlive=false
+
+    - name: Compile with Gradle without Build Scan
+      if: ${{ matrix.language == 'java' && github.repository_owner != 'gradle' }}
+      run: ./gradlew --init-script .github/workflows/codeql-analysis.init.gradle -S testClasses
+
+    - name: Cleanup Gradle Daemons
+      run: ./gradlew --stop
+      if: ${{ matrix.language == 'java' }}
+
+    # ℹ️ Command-line programs to run using the OS shell.
+    # 📚 https://git.io/JvXDl
+
+    # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
+    #    and modify them (or add more) to build your code if your project
+    #    uses a compiled language
+
+    #- run: |
+    #   make bootstrap
+    #   make release
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v3
+      with:
+        config-file: ./.github/codeql/codeql-config.yml
+
+    - name: Cleanup Gradle Cache
+      # Cleans up the Gradle caches before being cached
+      run: |
+        rm -f ~/.gradle/caches/modules-2/modules-2.lock
+        rm -f ~/.gradle/caches/modules-2/gc.properties
+      if: ${{ matrix.language == 'java' }}
