Skip to content
CodeQL Analysis

Update how type information is passed from Phlex to FORM #688

Sign in to view logs

Update how type information is passed from Phlex to FORM

Update how type information is passed from Phlex to FORM #688

Workflow file for this run

.github/workflows/codeql-analysis.yaml at 50533c2
# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
name: "CodeQL - Analyze (C++, Python, Actions)"
on:
push:
branches: [ main, develop ]
pull_request:
branches: [ main, develop ]
schedule:
- cron: '0 3 * * 0' # weekly (UTC) — adjust as needed
workflow_dispatch:
permissions:
actions: read
contents: read
security-events: write
env:
BUILD_TYPE: RelWithDebInfo
CPP_COMPILER: g++
CODEQL_EXTRACTOR_CPP_COMPILATION_DATABASE: ${{ github.workspace }}/phlex-build/compile_commands.json
jobs:
codeql:
name: Analyze ${{ matrix.language }} with CodeQL
runs-on: ubuntu-24.04
container:
image: ghcr.io/framework-r-d/phlex-ci:latest
strategy:
fail-fast: false
matrix:
language: ['cpp', 'python', 'actions']
timeout-minutes: 120
steps:
- name: Checkout repository
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
with:
path: phlex-src
fetch-depth: 0
- name: Setup build environment
uses: Framework-R-D/phlex/.github/actions/setup-build-env@main
with:
build-path: phlex-build
- name: Initialize CodeQL
uses: github/codeql-action/init@cdefb33c0f6224e58673d9004f47f7cb3e328b89 # v4.31.10
with:
languages: ${{ matrix.language }}
config-file: phlex-src/.github/codeql/codeql-config.yml
source-root: phlex-src
build-mode: none
- name: Produce compile_commands.json (C++ only)
if: matrix.language == 'cpp'
uses: Framework-R-D/phlex/.github/actions/configure-cmake@main
with:
build-type: ${{ env.BUILD_TYPE }}
- name: Verify compile_commands.json (C++ only)
if: matrix.language == 'cpp'
run: |
set -euo pipefail
if [ ! -f "$CODEQL_EXTRACTOR_CPP_COMPILATION_DATABASE" ]; then
echo "Expected compile_commands.json at $CODEQL_EXTRACTOR_CPP_COMPILATION_DATABASE" >&2
exit 1
fi
# Run CodeQL analysis (uploads results to code scanning)
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@cdefb33c0f6224e58673d9004f47f7cb3e328b89 # v4.31.10
with:
checkout_path: phlex-src
output: results
category: ${{ matrix.language }}
- name: Upload SARIF results
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
with:
name: codeql-sarif-${{ matrix.language }}
path: results
retention-days: 7
codeql-report:
name: Aggregate CodeQL alerts
needs: codeql
runs-on: ubuntu-24.04
if: needs.codeql.result == 'success'
permissions:
contents: read
issues: write
pull-requests: write
security-events: read
env:
CODEQL_MIN_LEVEL: warning
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
steps:
- name: Set log file path
id: set_log_path
run: echo "path=$RUNNER_TEMP/codeql-alerts.log" >> "$GITHUB_OUTPUT"
- name: Checkout repository
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
with:
fetch-depth: 0
- name: Download CodeQL SARIF artifacts
uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
with:
pattern: codeql-sarif-*
path: sarif
merge-multiple: true
- name: Check CodeQL SARIF for new or resolved alerts
id: check_codeql
run: |
set -euo pipefail
ARGS=(
--sarif "$GITHUB_WORKSPACE/sarif"
--min-level "${CODEQL_MIN_LEVEL}"
--log-path "${{ steps.set_log_path.outputs.path }}"
)
if [ "${{ github.event_name }}" = "pull_request" ]; then
ARGS+=(--ref "refs/pull/${{ github.event.pull_request.number }}/merge")
fi
python3 scripts/check_codeql_alerts.py "${ARGS[@]}"
- name: Upload CodeQL alerts debug log
if: always()
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
with:
name: codeql-alerts-debug-log
path: ${{ steps.set_log_path.outputs.path }}
retention-days: 3
- name: "Debug: PR head and repo info (no-op for non-PR runs)"
if: github.event_name == 'pull_request'
run: |
echo "github.repository: ${{ github.repository }}"
echo "pr.head.repo.full_name: ${{ github.event.pull_request.head.repo.full_name }}"
echo "pr.head.repo.owner.login: ${{ github.event.pull_request.head.repo.owner.login }}"
echo "pr.base.repo.full_name: ${{ github.event.pull_request.base.repo.full_name }}"
echo "actor: ${{ github.actor }}"
echo "Available step outputs from check_codeql:"
echo " new_alerts=${{ steps.check_codeql.outputs.new_alerts }}"
echo " fixed_alerts=${{ steps.check_codeql.outputs.fixed_alerts }}"
echo "Event payload head/type (first 200 chars):"
if [ -n "$GITHUB_EVENT_PATH" ]; then
jq -c . < "$GITHUB_EVENT_PATH" | cut -c-200 || true
fi
- name: Comment on PR with CodeQL alert changes
# Only attempt to post comments on pull requests that originate from
# the same repository. GitHub's `GITHUB_TOKEN` cannot create comments
# on pull requests originating from forks (Resource not accessible
# by integration). For forked PRs, maintainers can inspect the
# uploaded log/artifact instead.
if: >-
github.event_name == 'pull_request' &&
github.event.pull_request.head.repo.full_name == github.repository &&
(steps.check_codeql.outputs.new_alerts == 'true' ||
steps.check_codeql.outputs.fixed_alerts == 'true')
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
const fs = require('fs');
const marker = '<!-- codeql-alerts -->';
const legacyMarker = '<!-- codeql-new-alerts -->';
const commentPath = '${{ steps.check_codeql.outputs.comment_path }}';
if (!commentPath) {
core.setFailed('check_codeql did not emit a comment_path output.');
return;
}
const body = fs.readFileSync(commentPath, 'utf8');
const finalBody = body.includes(marker) ? body : `${body}\n${marker}`;
const { data: comments } = await github.rest.issues.listComments({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: context.issue.number,
per_page: 100,
});
const existing = comments.find(comment => comment.body.includes(marker) || comment.body.includes(legacyMarker));
if (existing) {
await github.rest.issues.updateComment({
owner: context.repo.owner,
repo: context.repo.repo,
comment_id: existing.id,
body: finalBody,
});
} else {
await github.rest.issues.createComment({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: context.issue.number,
body: finalBody,
});
}
- name: Log CodeQL alert changes for forked PR
if: >-
github.event_name == 'pull_request' &&
github.event.pull_request.head.repo.full_name != github.repository &&
(steps.check_codeql.outputs.new_alerts == 'true' ||
steps.check_codeql.outputs.fixed_alerts == 'true')
run: |
set -euo pipefail
comment_file="${{ steps.check_codeql.outputs.comment_path }}"
if [ "${{ steps.check_codeql.outputs.new_alerts }}" = "true" ]; then
prefix="::error::"
should_fail=true
else
prefix="::notice::"
should_fail=false
fi
echo "${prefix}This PR is from a fork. CodeQL comments cannot be posted directly."
echo "${prefix}Displaying comment content in the log:"
# Read the file line by line and prepend the prefix to avoid issues
# with special characters in the comment body.
while IFS= read -r line; do
echo "${prefix}${line}"
done < "$comment_file"
if [ "$should_fail" = true ]; then
exit 1
fi
- name: Fail workflow due to new CodeQL alerts
# Only fail the job for PRs from the same repository where the
# action has permission to comment / act. Forked PR runs cannot
# reliably perform repo-write actions with `GITHUB_TOKEN`.
if: >-
github.event_name == 'pull_request' &&
github.event.pull_request.head.repo.full_name == github.repository &&
steps.check_codeql.outputs.new_alerts == 'true'
run: |
echo "New CodeQL alerts detected; failing job."
exit 1