mirror of
https://github.com/github/codeql-action.git
synced 2025-12-06 07:48:17 +08:00
5bd8069afb
Bumps [actions/checkout](https://github.com/actions/checkout) from 5 to 6. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/v5...v6) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
147 lines
4.4 KiB
YAML
147 lines
4.4 KiB
YAML
name: "CodeQL action"
|
|
|
|
on:
|
|
push:
|
|
branches: [main, releases/v*]
|
|
pull_request:
|
|
branches: [main, releases/v*]
|
|
# Run checks on reopened draft PRs to support triggering PR checks on draft PRs that were opened
|
|
# by other workflows.
|
|
types: [opened, synchronize, reopened, ready_for_review]
|
|
schedule:
|
|
# Weekly on Sunday.
|
|
- cron: '30 1 * * 0'
|
|
workflow_dispatch:
|
|
|
|
defaults:
|
|
run:
|
|
shell: bash
|
|
|
|
env:
|
|
CODEQL_ACTION_TESTING_ENVIRONMENT: codeql-action-pr-checks
|
|
|
|
jobs:
|
|
# Identify the CodeQL tool versions to use in the analysis job.
|
|
check-codeql-versions:
|
|
if: github.triggering_actor != 'dependabot[bot]'
|
|
runs-on: ubuntu-latest
|
|
outputs:
|
|
versions: ${{ steps.compare.outputs.versions }}
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
steps:
|
|
- uses: actions/checkout@v6
|
|
- name: Init with default CodeQL bundle from the VM image
|
|
id: init-default
|
|
uses: ./init
|
|
with:
|
|
languages: javascript
|
|
- name: Remove empty database
|
|
# allows us to run init a second time
|
|
run: |
|
|
rm -rf "$RUNNER_TEMP/codeql_databases"
|
|
- name: Init with latest CodeQL bundle
|
|
id: init-latest
|
|
uses: ./init
|
|
with:
|
|
tools: linked
|
|
languages: javascript
|
|
- name: Compare default and latest CodeQL bundle versions
|
|
id: compare
|
|
env:
|
|
CODEQL_DEFAULT: ${{ steps.init-default.outputs.codeql-path }}
|
|
CODEQL_LATEST: ${{ steps.init-latest.outputs.codeql-path }}
|
|
run: |
|
|
CODEQL_VERSION_DEFAULT="$("$CODEQL_DEFAULT" version --format terse)"
|
|
CODEQL_VERSION_LATEST="$("$CODEQL_LATEST" version --format terse)"
|
|
echo "Default CodeQL bundle version is $CODEQL_VERSION_DEFAULT"
|
|
echo "Latest CodeQL bundle version is $CODEQL_VERSION_LATEST"
|
|
|
|
# If we're running on a pull request, run with both bundles, even if `tools: linked` would
|
|
# be the same as `tools: null`. This allows us to make the job for each of the bundles a
|
|
# required status check.
|
|
#
|
|
# If we're running on push or schedule, then we can skip running with `tools: linked` when it would be
|
|
# the same as running with `tools: null`.
|
|
if [[ "$GITHUB_EVENT_NAME" != "pull_request" && "$CODEQL_VERSION_DEFAULT" == "$CODEQL_VERSION_LATEST" ]]; then
|
|
VERSIONS_JSON='[null]'
|
|
else
|
|
VERSIONS_JSON='[null, "linked"]'
|
|
fi
|
|
|
|
# Output a JSON-encoded list with the distinct versions to test against.
|
|
echo "Suggested matrix config for analysis job: $VERSIONS_JSON"
|
|
echo "versions=${VERSIONS_JSON}" >> $GITHUB_OUTPUT
|
|
|
|
analyze-javascript:
|
|
if: github.triggering_actor != 'dependabot[bot]'
|
|
needs: [check-codeql-versions]
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
os: [ubuntu-22.04,ubuntu-24.04,windows-2022,windows-2025,macos-14,macos-15]
|
|
tools: ${{ fromJson(needs.check-codeql-versions.outputs.versions) }}
|
|
runs-on: ${{ matrix.os }}
|
|
|
|
permissions:
|
|
contents: read
|
|
security-events: write
|
|
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@v6
|
|
- name: Initialize CodeQL
|
|
uses: ./init
|
|
id: init
|
|
with:
|
|
languages: javascript
|
|
config-file: ./.github/codeql/codeql-config-javascript.yml
|
|
tools: ${{ matrix.tools }}
|
|
# confirm steps.init.outputs.codeql-path points to the codeql binary
|
|
- name: Print CodeQL Version
|
|
run: >
|
|
"$CODEQL" version --format=json
|
|
env:
|
|
CODEQL: ${{steps.init.outputs.codeql-path}}
|
|
- name: Perform CodeQL Analysis
|
|
uses: ./analyze
|
|
with:
|
|
category: "/language:javascript"
|
|
upload: ${{ (matrix.os == 'ubuntu-24.04' && !matrix.tools && 'always') || 'never' }}
|
|
|
|
analyze-other:
|
|
if: github.triggering_actor != 'dependabot[bot]'
|
|
runs-on: ubuntu-latest
|
|
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
include:
|
|
- language: actions
|
|
- language: python
|
|
|
|
permissions:
|
|
contents: read
|
|
security-events: write
|
|
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@v6
|
|
- name: Initialize CodeQL
|
|
uses: ./init
|
|
with:
|
|
languages: ${{ matrix.language }}
|
|
build-mode: none
|
|
config: >
|
|
paths-ignore:
|
|
- lib
|
|
- tests
|
|
queries:
|
|
- uses: security-and-quality
|
|
- name: Perform CodeQL Analysis
|
|
uses: ./analyze
|
|
with:
|
|
category: "/language:${{ matrix.language }}"
|