From 97721ccfcdc1856d5fc5c587be78e6d4d8bd7e52 Mon Sep 17 00:00:00 2001 From: Francesco Cheinasso Date: Thu, 16 Nov 2023 14:36:18 +0100 Subject: [PATCH] Create codeql.yml --- .github/workflows/codeql.yml | 124 +++++++++++++++++++++++++++++++++++ .github/workflows/test.yml | 3 - 2 files changed, 124 insertions(+), 3 deletions(-) create mode 100644 .github/workflows/codeql.yml diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 0000000000..ee1325b076 --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,124 @@ +# For most projects, this workflow file will not need changing; you simply need +# to commit it to your repository. +# +# You may wish to alter this file to override the set of languages analyzed, +# or to provide custom queries or build logic. +# +# ******** NOTE ******** +# We have attempted to detect the languages in your repository. Please check +# the `language` matrix defined below to confirm you have the correct set of +# supported CodeQL languages. +# +name: "CodeQL" + +on: + # Runs at 19:30, only on Saturday + schedule: + - cron: '30 19 * * 6' + repository_dispatch: + types: + - test-command + +jobs: + configure: + name: Preliminary configuration + runs-on: ubuntu-latest + if: ${{ !cancelled() && github.event_name == 'repository_dispatch' }} + outputs: + commit-ref: ${{ steps.configure.outputs.commit-ref }} + repo-suffix: ${{ steps.configure.outputs.repo-suffix }} + repo-name: ${{ steps.configure.outputs.repo-name }} + steps: + - name: Configure + id: configure + run: | + # The ref of the commit to checkout (do not use the merge commit if pull request) + echo "commit-ref=${{ github.event.client_payload.pull_request.head.sha }}" >> $GITHUB_OUTPUT + echo "repo-name=${{ github.event.client_payload.github.payload.repository.full_name }}" >> $GITHUB_OUTPUT + + + # Since we are using a repository-dispatch event, we have to explicitly set a run check. We initialize it to a "pending" state. + - uses: octokit/request-action@v2.x + name: "Initialize run check to 'pending'" + with: + route: POST /repos/${{ github.repository }}/statuses/${{ steps.configure.outputs.commit-ref }} + state: "pending" + description: "CodeQL status" + context: "CodeQL" + target_url: "https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}" + env: + GITHUB_TOKEN: ${{ secrets.CI_TOKEN }} + if: ${{ github.event_name == 'repository_dispatch' }} + analyze: + name: Analyze + # Runner size impacts CodeQL analysis time. To learn more, please see: + # - https://gh.io/recommended-hardware-resources-for-running-codeql + # - https://gh.io/supported-runners-and-hardware-resources + # - https://gh.io/using-larger-runners + # Consider using larger runners for possible analysis time improvements. + runs-on: ubuntu-latest + timeout-minutes: 360 + permissions: + actions: read + contents: read + security-events: write + + strategy: + fail-fast: false + matrix: + language: [ 'go' ] + # CodeQL supports [ 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'swift' ] + # Use only 'java-kotlin' to analyze code written in Java, Kotlin or both + # Use only 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both + # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support + + steps: + - name: Checkout repository + uses: actions/checkout@v3 + + - uses: actions/setup-go@v4 + with: + go-version: '1.21' + cache: true + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@v2 + with: + languages: ${{ matrix.language }} + + # If you wish to specify custom queries, you can do so here or in a config file. + # By default, queries listed here will override any specified in a config file. + # Prefix the list here with "+" to use these queries and those in the config file. + + # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs + # queries: security-extended,security-and-quality + + - name: Build Application + run: | + find ./cmd -name "main.go" -exec dirname {} \; | while read dir; do + echo "Building ${dir}" + go build ${dir} + done + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v2 + with: + category: "/language:${{matrix.language}}" + + results: + name: Result + runs-on: ubuntu-latest + needs: [configure, analyze] + if: ${{ !cancelled() && github.event_name == 'repository_dispatch' }} + steps: + - uses: octokit/request-action@v2.x + name: "Update run check status" + with: + route: POST /repos/${{ github.repository }}/statuses/${{ needs.configure.outputs.commit-ref }} + state: "${{ job.status }}" + description: "CodeQL status" + context: "CodeQL" + target_url: "https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}" + env: + GITHUB_TOKEN: ${{ secrets.CI_TOKEN }} + if: ${{ !cancelled() && github.event_name == 'repository_dispatch' }} diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index af1be21656..babdc7f109 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -3,9 +3,6 @@ on: repository_dispatch: types: - test-command - push: - branches: - - master jobs: configure: