Fix issues reported by CodeQL #60
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json | |
| name: "CodeQL - Analyze (C++, Python, Actions)" | |
| on: | |
| push: | |
| branches: [ main ] | |
| pull_request: | |
| branches: [ main ] | |
| schedule: | |
| - cron: '0 3 * * 0' # weekly (UTC) — adjust as needed | |
| workflow_dispatch: | |
| permissions: | |
| actions: read | |
| contents: read | |
| security-events: write | |
| env: | |
| BUILD_TYPE: RelWithDebInfo | |
| CPP_COMPILER: g++ | |
| jobs: | |
| codeql: | |
| name: Analyze ${{ matrix.language }} with CodeQL | |
| runs-on: ubuntu-24.04 | |
| container: | |
| image: ghcr.io/framework-r-d/phlex-ci:latest | |
| strategy: | |
| fail-fast: false | |
| matrix: # Necessry to disable yaml-language-server warning | |
| language: ['cpp', 'python', 'actions'] | |
| timeout-minutes: 120 | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| with: | |
| path: phlex-src | |
| fetch-depth: 0 | |
| - name: Setup build environment | |
| uses: ./phlex-src/.github/actions/setup-build-env | |
| with: | |
| build-path: phlex-build | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/init@v4 | |
| with: | |
| languages: ${{ matrix.language }} | |
| config-file: phlex-src/.github/codeql/codeql-config.yml | |
| source-root: phlex-src | |
| build-mode: ${{ matrix.language == 'cpp' && 'manual' || 'none' }} | |
| - name: Configure and build (C++ only) | |
| if: matrix.language == 'cpp' | |
| run: | | |
| . /entrypoint.sh | |
| cd "$GITHUB_WORKSPACE/phlex-build" | |
| # For reasons unknown, CodeQL's choice of LD_PRELOAD needs to | |
| # be corrected | |
| export LD_PRELOAD="$SEMMLE_PRELOAD_libtrace64" | |
| echo "LD_PRELOAD=$LD_PRELOAD" | |
| cmake --preset=default -S "$GITHUB_WORKSPACE/phlex-src" \ | |
| -B "$GITHUB_WORKSPACE/phlex-build" -GNinja \ | |
| -DCMAKE_BUILD_TYPE="$BUILD_TYPE" \ | |
| -DCMAKE_CXX_COMPILER="$CPP_COMPILER" \ | |
| -DPHLEX_USE_FORM=TRUE \ | |
| -DFORM_USE_ROOT_STORAGE=TRUE || exit | |
| cmake --build . || exit | |
| # Run CodeQL analysis (uploads results to code scanning) | |
| - name: Perform CodeQL Analysis | |
| uses: github/codeql-action/analyze@v4 | |
| with: | |
| checkout_path: phlex-src | |
| category: ${{ matrix.language }} | |
| - name: Upload SARIF results | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: codeql-sarif-${{ matrix.language }} | |
| path: codeql-results.sarif | |
| retention-days: 7 | |
| codeql-report: | |
| name: Aggregate CodeQL alerts | |
| needs: codeql | |
| runs-on: ubuntu-24.04 | |
| if: needs.codeql.result == 'success' | |
| permissions: | |
| contents: read | |
| issues: write | |
| env: | |
| CODEQL_MIN_LEVEL: warning | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Download CodeQL SARIF artifacts | |
| uses: actions/download-artifact@v4 | |
| with: | |
| pattern: codeql-sarif-* | |
| path: sarif | |
| merge-multiple: true | |
| - name: Check CodeQL SARIF for new or resolved alerts | |
| id: check_codeql | |
| run: | | |
| set -euo pipefail | |
| python3 scripts/check_codeql_alerts.py \ | |
| --sarif "$GITHUB_WORKSPACE/sarif" \ | |
| --min-level "${CODEQL_MIN_LEVEL}" | |
| - name: Comment on PR with CodeQL alert changes | |
| if: >- | |
| github.event_name == 'pull_request' && | |
| (steps.check_codeql.outputs.new_alerts == 'true' || | |
| steps.check_codeql.outputs.fixed_alerts == 'true') | |
| uses: actions/github-script@v7 | |
| with: | |
| script: | | |
| const fs = require('fs'); | |
| const marker = '<!-- codeql-alerts -->'; | |
| const legacyMarker = '<!-- codeql-new-alerts -->'; | |
| const commentPath = '${{ steps.check_codeql.outputs.comment_path }}'; | |
| if (!commentPath) { | |
| core.setFailed('check_codeql did not emit a comment_path output.'); | |
| return; | |
| } | |
| const body = fs.readFileSync(commentPath, 'utf8'); | |
| const finalBody = body.includes(marker) ? body : `${body}\n${marker}`; | |
| const { data: comments } = await github.rest.issues.listComments({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| issue_number: context.issue.number, | |
| per_page: 100, | |
| }); | |
| const existing = comments.find(comment => comment.body.includes(marker) || comment.body.includes(legacyMarker)); | |
| if (existing) { | |
| await github.rest.issues.updateComment({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| comment_id: existing.id, | |
| body: finalBody, | |
| }); | |
| } else { | |
| await github.rest.issues.createComment({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| issue_number: context.issue.number, | |
| body: finalBody, | |
| }); | |
| } | |
| - name: Fail workflow due to new CodeQL alerts | |
| if: github.event_name == 'pull_request' && steps.check_codeql.outputs.new_alerts == 'true' | |
| run: | | |
| echo "New CodeQL alerts detected; failing job." | |
| exit 1 |