-
Notifications
You must be signed in to change notification settings - Fork 148
160 lines (144 loc) · 6.43 KB
/
codeql.yml
File metadata and controls
160 lines (144 loc) · 6.43 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
name: "CodeQL"
on:
push:
branches:
- "main"
- "v.?[0-9]+.[0-9]+.[0-9]+"
- "v.?[0-9]+.[0-9]+"
- "v?[0-9]+.[0-9]+.[0-9]+"
- "v?[0-9]+.[0-9]+"
- release-*
pull_request:
branches:
- "main"
- "v.?[0-9]+.[0-9]+.[0-9]+"
- "v.?[0-9]+.[0-9]+"
- "v?[0-9]+.[0-9]+.[0-9]+"
- "v?[0-9]+.[0-9]+"
- release-*
schedule:
- cron: "37 18 * * 6"
workflow_dispatch:
jobs:
# Run CodeQL analysis for each language
analyze:
name: Analyze (${{ matrix.language }})
runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }}
permissions:
security-events: write
strategy:
fail-fast: false
matrix:
include:
- language: go
build-mode: manual
- language: java-kotlin
build-mode: manual
- language: javascript-typescript
build-mode: none
- language: python
build-mode: none
- language: rust
build-mode: none
- language: c-cpp
build-mode: manual
- language: actions
build-mode: none
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: ${{ matrix.language }}
build-mode: ${{ matrix.build-mode }}
config-file: .github/codeql/codeql-config.yml
# Pin to 2.23.9 due to hang in 2.24.0 Rust analyzer
tools: https://github.com/github/codeql-action/releases/download/codeql-bundle-v2.23.9/codeql-bundle-linux64.tar.gz
# C++ Build
- name: Build C++ components
if: matrix.language == 'c-cpp'
shell: bash
run: |
cd glide-core
cargo build --release
# Go Build
- name: Install protoc-gen-go
if: matrix.language == 'go'
shell: bash
run: |
# Ensure Go bin directory is in PATH
export PATH=$PATH:$(go env GOPATH)/bin
# Check if protoc-gen-go is already installed
if ! command -v protoc-gen-go &> /dev/null; then
echo "Installing protoc-gen-go..."
go install google.golang.org/protobuf/cmd/[email protected]
else
echo "protoc-gen-go already installed: $(protoc-gen-go --version)"
fi
- name: Install protoc compiler
if: matrix.language == 'go'
shell: bash
run: |
# Check if protoc is already installed with correct version
if ! command -v protoc &> /dev/null || ! protoc --version | grep -q "29.1"; then
echo "Installing protoc 29.1..."
PB_REL="https://github.com/protocolbuffers/protobuf/releases"
curl -LO $PB_REL/download/v29.1/protoc-29.1-linux-x86_64.zip
sudo unzip protoc-29.1-linux-x86_64.zip -d /usr/local
sudo chmod +x /usr/local/bin/protoc
else
echo "protoc already installed: $(protoc --version)"
fi
- name: Build Go components
if: matrix.language == 'go'
shell: bash
run: |
# Ensure Go bin directory is in PATH
export PATH=$PATH:$(go env GOPATH)/bin
# Create minimal lib.h to satisfy CGO imports for CodeQL analysis
echo "Creating minimal lib.h for CodeQL analysis..."
echo "// Minimal header for CodeQL analysis" > go/lib.h
echo "#ifndef LIB_H" >> go/lib.h
echo "#define LIB_H" >> go/lib.h
echo "// Placeholder definitions for CodeQL analysis" >> go/lib.h
echo "#endif" >> go/lib.h
# Generate protobuf files
cd go
make generate-protobuf
# For CodeQL analysis, we just need the source code available
# Try to build but don't fail if it can't link with Rust library
echo "Attempting Go build for CodeQL analysis..."
go build ./... || echo "Go build failed due to missing Rust dependencies, but source code is available for CodeQL analysis"
# Java/Kotlin Build
- name: Build Java/Kotlin components
if: matrix.language == 'java-kotlin'
shell: bash
run: |
# Check if protoc is already installed with correct version
if ! command -v protoc &> /dev/null || ! protoc --version | grep -q "29.1"; then
echo "Installing protoc 29.1..."
PB_REL="https://github.com/protocolbuffers/protobuf/releases"
curl -LO $PB_REL/download/v29.1/protoc-29.1-linux-x86_64.zip
sudo unzip protoc-29.1-linux-x86_64.zip -d /usr/local
sudo chmod +x /usr/local/bin/protoc
else
echo "protoc already installed: $(protoc --version)"
fi
- name: Compile Java/Kotlin components for CodeQL
if: matrix.language == 'java-kotlin'
shell: bash
run: |
# Build all Java components (skip Rust build for CodeQL analysis)
cd java
./gradlew --build-cache assemble --exclude-task :client:buildRust
- name: Debug - Verify .class files are produced
if: matrix.language == 'java-kotlin'
shell: bash
run: |
find java -name "*.class" || echo "No .class files found!"
echo "Total .class files: $(find java -name "*.class" | wc -l)"
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
with:
category: "/language:${{matrix.language}}"