CodeQL action #8786
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: "CodeQL action" | |
on: | |
push: | |
branches: [main, releases/v*] | |
pull_request: | |
branches: [main, releases/v*] | |
# Run checks on reopened draft PRs to support triggering PR checks on draft PRs that were opened | |
# by other workflows. | |
types: [opened, synchronize, reopened, ready_for_review] | |
schedule: | |
# Weekly on Sunday. | |
- cron: '30 1 * * 0' | |
workflow_dispatch: | |
env: | |
CODEQL_ACTION_TESTING_ENVIRONMENT: codeql-action-pr-checks | |
jobs: | |
# Identify the CodeQL tool versions to use in the analysis job. | |
check-codeql-versions: | |
runs-on: ubuntu-latest | |
outputs: | |
versions: ${{ steps.compare.outputs.versions }} | |
permissions: | |
security-events: write | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Init with default CodeQL bundle from the VM image | |
id: init-default | |
uses: ./init | |
with: | |
languages: javascript | |
- name: Remove empty database | |
# allows us to run init a second time | |
run: | | |
rm -rf "$RUNNER_TEMP/codeql_databases" | |
- name: Init with latest CodeQL bundle | |
id: init-latest | |
uses: ./init | |
with: | |
tools: linked | |
languages: javascript | |
- name: Compare default and latest CodeQL bundle versions | |
id: compare | |
env: | |
CODEQL_DEFAULT: ${{ steps.init-default.outputs.codeql-path }} | |
CODEQL_LATEST: ${{ steps.init-latest.outputs.codeql-path }} | |
run: | | |
CODEQL_VERSION_DEFAULT="$("$CODEQL_DEFAULT" version --format terse)" | |
CODEQL_VERSION_LATEST="$("$CODEQL_LATEST" version --format terse)" | |
echo "Default CodeQL bundle version is $CODEQL_VERSION_DEFAULT" | |
echo "Latest CodeQL bundle version is $CODEQL_VERSION_LATEST" | |
# If we're running on a pull request, run with both bundles, even if `tools: linked` would | |
# be the same as `tools: null`. This allows us to make the job for each of the bundles a | |
# required status check. | |
# | |
# If we're running on push or schedule, then we can skip running with `tools: linked` when it would be | |
# the same as running with `tools: null`. | |
if [[ "$GITHUB_EVENT_NAME" != "pull_request" && "$CODEQL_VERSION_DEFAULT" == "$CODEQL_VERSION_LATEST" ]]; then | |
VERSIONS_JSON='[null]' | |
else | |
VERSIONS_JSON='[null, "linked"]' | |
fi | |
# Output a JSON-encoded list with the distinct versions to test against. | |
echo "Suggested matrix config for analysis job: $VERSIONS_JSON" | |
echo "versions=${VERSIONS_JSON}" >> $GITHUB_OUTPUT | |
build: | |
needs: [check-codeql-versions] | |
strategy: | |
fail-fast: false | |
matrix: | |
os: [ubuntu-20.04,ubuntu-22.04,windows-2019,windows-2022,macos-13,macos-14] | |
tools: ${{ fromJson(needs.check-codeql-versions.outputs.versions) }} | |
runs-on: ${{ matrix.os }} | |
permissions: | |
security-events: write | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Initialize CodeQL | |
uses: ./init | |
id: init | |
with: | |
languages: javascript | |
config-file: ./.github/codeql/codeql-config.yml | |
tools: ${{ matrix.tools }} | |
# confirm steps.init.outputs.codeql-path points to the codeql binary | |
- name: Print CodeQL Version | |
run: ${{steps.init.outputs.codeql-path}} version --format=json | |
- name: Perform CodeQL Analysis | |
uses: ./analyze | |
with: | |
category: "/language:javascript" |