-
Notifications
You must be signed in to change notification settings - Fork 950
132 lines (120 loc) · 4.2 KB
/
codeql.yml
File metadata and controls
132 lines (120 loc) · 4.2 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
name: CodeQL
# Advanced setup so we can control when analysis runs. The "Require code
# scanning results" ruleset rule waits for a SARIF upload; if a PR doesn't
# touch code (locale-only, workflow-only) and the workflow never runs, the
# check sits pending forever. We always run a job per language and either do
# the real analysis (when relevant paths changed) or upload an empty SARIF so
# the check reports cleanly.
#
# Parity with the previous default setup:
# - languages: actions, javascript-typescript
# (javascript and typescript are subsumed by javascript-typescript)
# - query suite: default
# - threat model: remote
# - schedule: weekly
on:
push:
branches: [main]
pull_request:
branches: [main]
schedule:
# Weekly run, matches previous default setup cadence.
- cron: "0 6 * * 1"
permissions: {}
jobs:
analyze:
name: Analyze (${{ matrix.language }})
runs-on: ubuntu-latest
permissions:
security-events: write
contents: read
actions: read
pull-requests: read # dorny/paths-filter calls the PRs API on pull_request events
strategy:
fail-fast: false
matrix:
include:
- language: actions
paths-filter: |
code:
- '.github/workflows/**'
- '.github/actions/**'
- language: javascript-typescript
paths-filter: |
code:
- '**/*.ts'
- '**/*.tsx'
- '**/*.js'
- '**/*.jsx'
- '**/*.mjs'
- '**/*.cjs'
- '**/package.json'
- '**/pnpm-lock.yaml'
steps:
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
# On push and schedule, always analyze. On pull_request, only analyze
# when paths relevant to this language changed.
- name: Detect relevant changes
id: changes
if: github.event_name == 'pull_request'
uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1
with:
filters: ${{ matrix.paths-filter }}
- name: Decide whether to analyze
id: decide
env:
EVENT_NAME: ${{ github.event_name }}
CHANGED: ${{ steps.changes.outputs.code }}
run: |
if [ "$EVENT_NAME" != "pull_request" ] || [ "$CHANGED" = "true" ]; then
echo "analyze=true" >> "$GITHUB_OUTPUT"
else
echo "analyze=false" >> "$GITHUB_OUTPUT"
fi
- name: Initialize CodeQL
if: steps.decide.outputs.analyze == 'true'
uses: github/codeql-action/init@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4.35.5
with:
languages: ${{ matrix.language }}
- name: Perform CodeQL analysis
if: steps.decide.outputs.analyze == 'true'
uses: github/codeql-action/analyze@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4.35.5
with:
category: "/language:${{ matrix.language }}"
# When skipped, upload an empty SARIF so the "Require code scanning
# results" rule on the branch ruleset sees a result and passes the PR.
- name: Write empty SARIF
if: steps.decide.outputs.analyze != 'true'
env:
LANGUAGE: ${{ matrix.language }}
run: |
cat > empty.sarif <<EOF
{
"version": "2.1.0",
"\$schema": "https://json.schemastore.org/sarif-2.1.0.json",
"runs": [
{
"tool": {
"driver": {
"name": "CodeQL",
"semanticVersion": "0.0.0",
"rules": []
}
},
"results": [],
"automationDetails": {
"id": "/language:${LANGUAGE}/"
}
}
]
}
EOF
- name: Upload empty SARIF
if: steps.decide.outputs.analyze != 'true'
uses: github/codeql-action/upload-sarif@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4.35.5
with:
sarif_file: empty.sarif
category: "/language:${{ matrix.language }}"