-
Notifications
You must be signed in to change notification settings - Fork 48
188 lines (168 loc) · 5.98 KB
/
codeql.yml
File metadata and controls
188 lines (168 loc) · 5.98 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
---
name: CodeQL
# This is the advanced CodeQL setup. GitHub will reject its uploaded results
# while repository CodeQL default setup is still enabled.
"on":
push:
branches:
- master
pull_request:
types:
- opened
- synchronize
- reopened
- ready_for_review
schedule:
- cron: "20 14 * * 1"
concurrency:
group: >-
${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true
permissions:
actions: read
contents: read
packages: read
security-events: write
jobs:
changes:
name: Detect CodeQL Inputs
runs-on: ubuntu-24.04
timeout-minutes: 5
outputs:
go: ${{ steps.detect.outputs.go }}
javascript_typescript: ${{ steps.detect.outputs.javascript_typescript }}
steps:
# actions/checkout v6.0.3
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10
with:
# Keep normal runs shallow; the detect step fetches older bases only
# when a larger push range needs them.
fetch-depth: 2
persist-credentials: false
- name: Detect changed CodeQL inputs
id: detect
env:
BEFORE_SHA: ${{ github.event.before }}
EVENT_NAME: ${{ github.event_name }}
run: |
set -euo pipefail
go_changed=false
js_changed=false
if [ "$EVENT_NAME" = "schedule" ]; then
go_changed=true
js_changed=true
else
zero_sha=0000000000000000000000000000000000000000
if git rev-parse --verify --quiet HEAD^2 >/dev/null; then
diff_base=HEAD^1
diff_head=HEAD^2
elif [ -n "${BEFORE_SHA}" ] &&
[ "${BEFORE_SHA}" != "${zero_sha}" ]; then
diff_base="${BEFORE_SHA}"
diff_head=HEAD
else
diff_base=HEAD^
diff_head=HEAD
fi
if ! git cat-file -e "${diff_base}^{commit}" 2>/dev/null; then
if ! git fetch --no-tags --depth=1 origin "${diff_base}" \
2>/dev/null; then
git fetch --no-tags --unshallow origin
fi
fi
mapfile -t changed_files < <(
git diff --name-only "$diff_base" "$diff_head"
)
for file in "${changed_files[@]}"; do
case "$file" in
.github/workflows/codeql.yml | .github/codeql/*)
go_changed=true
js_changed=true
;;
*.go | go.mod | go.sum | Makefile | \
.github/actions/setup-go/* | .github/actions/go-checks/*)
go_changed=true
;;
_datafiles/html/admin/static/js/monaco* | \
_datafiles/html/admin/static/js/highlight.js | \
_datafiles/html/admin/static/css/monaco-editor.css | \
_datafiles/html/public/static/js/xterm/*)
;;
*.html | *.htm | *.js | *.jsx | *.ts | *.tsx | *.mjs | *.cjs | \
package.json | package-lock.json | npm-shrinkwrap.json | \
yarn.lock | pnpm-lock.yaml)
js_changed=true
;;
esac
done
fi
{
echo "go=${go_changed}"
echo "javascript_typescript=${js_changed}"
} >> "$GITHUB_OUTPUT"
analyze-go:
name: Analyze (go)
needs: changes
if: >-
${{
github.event_name == 'schedule' ||
needs.changes.outputs.go == 'true'
}}
runs-on: ubuntu-24.04
# Keep analyzer regressions from tying up a runner indefinitely.
timeout-minutes: 30
steps:
# actions/checkout v6.0.3
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10
with:
persist-credentials: false
- name: Initialize CodeQL
# github/codeql-action v4.36.2
# yamllint disable-line rule:line-length
uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e
with:
languages: go
# Path filters live in CodeQL config, not workflow event filters.
config-file: ./.github/codeql/codeql-config.yml
- name: Autobuild
# github/codeql-action v4.36.2
# yamllint disable-line rule:line-length
uses: github/codeql-action/autobuild@8aad20d150bbac5944a9f9d289da16a4b0d87c1e
- name: Perform CodeQL Analysis
# github/codeql-action v4.36.2
# yamllint disable-line rule:line-length
uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e
with:
# Keep separate code scanning result categories for each language.
category: "/language:go"
analyze-javascript-typescript:
name: Analyze (javascript-typescript)
needs: changes
if: >-
${{
github.event_name == 'schedule' ||
needs.changes.outputs.javascript_typescript == 'true'
}}
runs-on: ubuntu-24.04
# Keep analyzer regressions from tying up a runner indefinitely.
timeout-minutes: 30
steps:
# actions/checkout v6.0.3
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10
with:
persist-credentials: false
- name: Initialize CodeQL
# github/codeql-action v4.36.2
# yamllint disable-line rule:line-length
uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e
with:
languages: javascript-typescript
# Path filters live in CodeQL config, not workflow event filters.
config-file: ./.github/codeql/codeql-config.yml
- name: Perform CodeQL Analysis
# github/codeql-action v4.36.2
# yamllint disable-line rule:line-length
uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e
with:
# Keep separate code scanning result categories for each language.
category: "/language:javascript-typescript"