-
Notifications
You must be signed in to change notification settings - Fork 6
96 lines (90 loc) · 4.01 KB
/
org-codeql.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
name: CodeQL
on:
workflow_dispatch:
push:
branches: [main, master, staging, development, devel, dev, prod]
pull_request:
types: [opened, synchronize, reopened, ready_for_review]
branches: [main, master, staging, development, devel, dev]
merge_group:
permissions:
contents: read
issues: read
pull-requests: read
jobs:
codeql:
name: codeql
runs-on: ubuntu-latest
strategy:
fail-fast: false
steps:
- name: Get changed files
id: changed-files
uses: tj-actions/changed-files@ae82ed4ae04587b665efad2f206578aa6f0e8539 # v42.0.0
with:
separator: '\0'
files: |
**/*.{cpp,c++,hpp,hh,h++,hxx,c,cc,h}
**/*.{sln,csproj,cs,cshtml,xaml}
**/*.go
**/*.java
**/*.kt
**/*.{js,jsx,mjs,es,es6,htm,html,xhtm,xhtml,vue,hbs,ejs,njk,json,yaml,yml,raml,xml}
**/*.py
**/*.{rb,erb,gemspec}
**/Gemfile
**/*.swift
**/*.{ts,tsx,mts,cts}
- name: Store configurations
id: cfg
env:
DEBUG: ${{ runner.debug && 'true' || 'false'}}
FILES: ${{ steps.changed-files.outputs.all_changed_and_modified_files }}
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
with:
script: |
const { exists } = await import('fs/promises');
const { default: getConfig } = await import('${{ github.action_path }}/src/getConfig.js');
const { default: getProperties } = await import('${{ github.action_path }}/src/getProperties.js');
var debug = process.env.DEBUG == 'true';
if (debug) console.log("Initializing CodeQL Action");
const query = `
query($owner: String!, $name: String!) {
repository(owner: $owner, name: $name) {
isPrivate
}
}
`;
const variables = {
owner: context.repo.owner,
name: context.repo.repo,
};
const result = await github.graphql(query, variables);
const isPrivate = result.repository.isPrivate;
const isDraft = context.payload.pull_request?.draft;
const isBot = context.actor.endsWith('[bot]');
const isEmptyFiles = process.env.FILES.trim() === '';
const config = await getConfig({owner: context.repo.owner, repo: context.repo.repo, path: '.github/codeql.json', debug, github});
const properties = await getProperties({owner: context.repo.owner, repo: context.repo.repo, debug, github});
const options = Object.assign({
codeql_enabled: !isDraft && !isBot && !isPrivate && !isEmptyFiles,
codeql_config_file: await exists('.github/codeql/codeql-config.yml') ?
'.github/codeql/codeql-config.yml' :
await exists('${{ github.action_path }}/.github/codeql/codeql-config.yml') ?
'${{ github.action_path }}/.github/codeql/codeql-config.yml' :
undefined,
}, config, properties);
return options;
- if: ${{ steps.cfg.outputs.result.codeql_enabled == 'true' }}
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- if: ${{ steps.cfg.outputs.result.codeql_enabled == 'true' }}
name: Initialize CodeQL
uses: github/codeql-action/init@0b21cf2492b6b02c465a3e5d7c473717ad7721ba # v3.23.1
with:
config-file: ${{ steps.cfg.outputs.result.codeql_config_file }}
- if: ${{ steps.cfg.outputs.result.codeql_enabled == 'true' }}
name: Autobuild
uses: github/codeql-action/autobuild@0b21cf2492b6b02c465a3e5d7c473717ad7721ba # v3.23.1
- if: ${{ steps.cfg.outputs.result.codeql_enabled == 'true' }}
name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@0b21cf2492b6b02c465a3e5d7c473717ad7721ba # v3.23.1