*: new workflow org-codeql #5
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: CodeQL | |
on: | |
workflow_dispatch: | |
push: | |
branches: [main, master, staging, development, devel, dev, prod] | |
pull_request: | |
types: [opened, synchronize, reopened, ready_for_review] | |
branches: [main, master, staging, development, devel, dev] | |
merge_group: | |
permissions: | |
contents: read | |
issues: read | |
pull-requests: read | |
jobs: | |
codeql: | |
name: codeql | |
runs-on: ubuntu-latest | |
strategy: | |
fail-fast: false | |
steps: | |
- name: Get changed files | |
id: changed-files | |
uses: tj-actions/changed-files@ae82ed4ae04587b665efad2f206578aa6f0e8539 # v42.0.0 | |
with: | |
separator: '\0' | |
files: | | |
**/*.{cpp,c++,hpp,hh,h++,hxx,c,cc,h} | |
**/*.{sln,csproj,cs,cshtml,xaml} | |
**/*.go | |
**/*.java | |
**/*.kt | |
**/*.{js,jsx,mjs,es,es6,htm,html,xhtm,xhtml,vue,hbs,ejs,njk,json,yaml,yml,raml,xml} | |
**/*.py | |
**/*.{rb,erb,gemspec} | |
**/Gemfile | |
**/*.swift | |
**/*.{ts,tsx,mts,cts} | |
- name: Store configurations | |
id: cfg | |
env: | |
DEBUG: ${{ runner.debug && 'true' || 'false'}} | |
FILES: ${{ steps.changed-files.outputs.all_changed_and_modified_files }} | |
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 | |
with: | |
script: | | |
const { exists } = await import('fs/promises'); | |
const { default: getConfig } = await import('${{ github.action_path }}/src/getConfig.js'); | |
const { default: getProperties } = await import('${{ github.action_path }}/src/getProperties.js'); | |
var debug = process.env.DEBUG == 'true'; | |
if (debug) console.log("Initializing CodeQL Action"); | |
const query = ` | |
query($owner: String!, $name: String!) { | |
repository(owner: $owner, name: $name) { | |
isPrivate | |
} | |
} | |
`; | |
const variables = { | |
owner: context.repo.owner, | |
name: context.repo.repo, | |
}; | |
const result = await github.graphql(query, variables); | |
const isPrivate = result.repository.isPrivate; | |
const isDraft = context.payload.pull_request?.draft; | |
const isBot = context.actor.endsWith('[bot]'); | |
const isEmptyFiles = process.env.FILES.trim() === ''; | |
let config = await getConfig({owner: context.repo.owner, repo: context.repo.repo, path: '.github/codeql.json', debug, github}); | |
let properties = await getProperties({owner: context.repo.owner, repo: context.repo.repo, debug, github}); | |
const options = { | |
codeql_enabled: !isDraft && !isBot && !isPrivate && !isEmptyFiles, | |
codeql_config_file: await exists('.github/codeql/codeql-config.yml') ? | |
'.github/codeql/codeql-config.yml' : | |
await exists('${{ github.action_path }}/.github/codeql/codeql-config.yml') ? | |
'${{ github.action_path }}/.github/codeql/codeql-config.yml' : | |
undefined, | |
}, cfg, properties); | |
return options; | |
- if: ${{ steps.cfg.outputs.result.codeql_enabled == 'true' }} | |
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
- if: ${{ steps.cfg.outputs.result.codeql_enabled == 'true' }} | |
name: Initialize CodeQL | |
uses: github/codeql-action/init@0b21cf2492b6b02c465a3e5d7c473717ad7721ba # v3.23.1 | |
with: | |
config-file: ${{ steps.cfg.outputs.result.codeql_config_file }} | |
- if: ${{ steps.cfg.outputs.result.codeql_enabled == 'true' }} | |
name: Autobuild | |
uses: github/codeql-action/autobuild@0b21cf2492b6b02c465a3e5d7c473717ad7721ba # v3.23.1 | |
- if: ${{ steps.cfg.outputs.result.codeql_enabled == 'true' }} | |
name: Perform CodeQL Analysis | |
uses: github/codeql-action/analyze@0b21cf2492b6b02c465a3e5d7c473717ad7721ba # v3.23.1 |