.github/workflows/codeql.yml

name: CodeQL

on:
  push:
    branches: main
    paths-ignore:
      - '**/*.md'
      - '**/release.yml'
      - '**/ci-large.yml'
      - 'assets/release/Dockerfiles/*'
  #pull_request:
    #branches: '**'

defaults:
  run:
    shell: bash

jobs:
  codeql:
    name: 'CodeQL analyzer'
    runs-on: ubuntu-latest
    timeout-minutes: 30
    permissions:
      actions: read
      contents: read
      security-events: write
    strategy:
      fail-fast: false
      matrix:
        include:
          - language: c-cpp
            build-mode: manual
            openresty: 1.25.3.2
            runtime: v8 # v8bridge
    steps:
      - uses: actions/checkout@v4
      - name: Setup CodeQL
        uses: github/codeql-action/init@v3
        with:
          languages: ${{ matrix.language }}
      - name: 'Setup cache - work/ dir'
        uses: actions/cache@v4
        if: ${{ !env.ACT }}
        with:
          path: |
            work/downloads
            work/runtimes
            work/openssl
          key: codeql-work-${{ matrix.os }}-${{ matrix.cc }}-${{ matrix.ngx }}-${{ matrix.openresty }}-${{ matrix.runtime }}-${{ hashFiles('util/**/*.sh', 'util/**/*.pl', 'util/**/*.awk', '.github/**/*.yml', '.github/**/*.sh', '.github/**/*.js', 'rust-toolchain', 'Makefile') }}
      - name: Setup Wasm runtime
        run: ./util/runtime.sh -R ${{ matrix.runtime }} -V ${{ matrix[matrix.runtime] }}
      - run: make setup
      - run: make
        env:
          NGX_WASM_RUNTIME: ${{ matrix.runtime }}
          NGX_BUILD_OPENRESTY: ${{ matrix.openresty }}
          NGX_BUILD_DYNAMIC_MODULE: 1
          NGX_BUILD_DEBUG: 1
          NGX_BUILD_SSL: 1
      - name: Perform CodeQL Analysis
        uses: github/codeql-action/analyze@v3
        with:
          upload: false
          output: sarif-results
      - id: sarif-filename
        run: |
          if [ "${{ matrix.language }}" = "c-cpp" ]; then
            echo "name=cpp" >> $GITHUB_OUTPUT
          else
            echo "name=${{ matrix.language }}" >> $GITHUB_OUTPUT
          fi
      - name: Filter SARIF
        uses: advanced-security/filter-sarif@v1
        with:
          patterns: |
            -**/*      # exclusion: DENY ALL
            +src/**/*  # inclusion
            +lib/**/*  # inclusion
          input: sarif-results/${{ steps.sarif-filename.outputs.name }}.sarif
          output: sarif-results/${{ steps.sarif-filename.outputs.name }}.sarif
      - name: Upload SARIF
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: sarif-results
      - uses: actions/upload-artifact@v4
        with:
          name: sarif-results-${{ matrix.runtime }}
          path: sarif-results
          retention-days: ${{ github.retention_days }}