Fix CodeQL warnings #1107
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: CI | |
on: [push, pull_request] | |
permissions: | |
contents: read | |
env: | |
BUILD_NUMBER: ${{ github.run_number }} | |
MAKEFLAGS: -j3 | |
jobs: | |
macos: | |
name: Build on macOS | |
runs-on: macos-latest | |
env: | |
MACOSX_DEPLOYMENT_TARGET: 11.0 | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v3 | |
with: | |
submodules: recursive | |
- name: Download artifact | |
uses: dawidd6/action-download-artifact@v2 | |
with: | |
workflow: build.yml | |
branch: master | |
name: pkgs | |
path: libdigidocpp-pkg | |
repo: open-eid/libdigidocpp | |
- name: Install dependencies | |
env: | |
HOMEBREW_NO_INSTALLED_DEPENDENTS_CHECK: YES | |
run: | | |
brew install ninja flatbuffers | |
HASH=($(shasum prepare_osx_build_environment.sh)) | |
curl -O -L -s https://installer.id.ee/media/github/opensc_0.22.0.pkg | |
curl -O -L -s https://installer.id.ee/media/github/${HASH}.zip | |
sudo installer -verboseR -pkg libdigidocpp-pkg/libdigidocpp*.pkg -target / | |
sudo installer -verboseR -pkg opensc_*.pkg -target / | |
sudo unzip -qq -d /Library/Developer ${HASH}.zip | |
- name: Build | |
run: | | |
QT_DIR=$(ls -d /Library/Developer/Qt-*-OpenSSL | tail -n 1) | |
cmake "-GNinja" \ | |
-DCMAKE_PREFIX_PATH=${QT_DIR} \ | |
-DOPENSSL_ROOT_DIR=/Library/Developer/OpenSSL \ | |
-DLDAP_ROOT=/Library/Developer/OpenLDAP \ | |
-DCMAKE_OSX_ARCHITECTURES="x86_64;arm64" -B build -S . | |
cmake --build build --target zipdebug macdeployqt zip | |
- name: Archive artifacts | |
uses: actions/upload-artifact@v3 | |
with: | |
name: pkgs | |
path: build/qdigidoc4*.zip | |
ubuntu: | |
name: Build on Ubuntu to ${{ matrix.container }} | |
runs-on: ubuntu-latest | |
container: ${{ matrix.container }} | |
strategy: | |
matrix: | |
container: ['ubuntu:20.04', 'ubuntu:22.04', 'ubuntu:23.04'] | |
env: | |
DEBIAN_FRONTEND: noninteractive | |
DEBFULLNAME: github-actions | |
DEBEMAIL: github-actions@github.com | |
steps: | |
- name: Install dependencies | |
if: matrix.container == 'ubuntu:20.04' | |
run: apt update -qq && apt install --no-install-recommends -y git lsb-release fakeroot build-essential devscripts debhelper pkg-config cmake libldap2-dev gettext libpcsclite-dev libssl-dev libqt5svg5-dev qttools5-dev-tools qttools5-dev lintian libflatbuffers-dev zlib1g-dev | |
- name: Install dependencies | |
if: matrix.container != 'ubuntu:20.04' | |
run: apt update -qq && apt install --no-install-recommends -y git lsb-release fakeroot build-essential devscripts debhelper pkg-config cmake libldap2-dev gettext libpcsclite-dev libssl-dev libgl-dev libqt6svg6-dev qt6-tools-dev qt6-tools-dev-tools qt6-l10n-tools libqt6core5compat6-dev lintian libflatbuffers-dev zlib1g-dev | |
- name: Checkout | |
uses: actions/checkout@v3 | |
with: | |
submodules: recursive | |
- name: Download artifact | |
uses: dawidd6/action-download-artifact@v2 | |
with: | |
workflow: build.yml | |
branch: master | |
name: debs | |
path: libdigidocpp-pkg | |
repo: open-eid/libdigidocpp | |
- name: Install artifact | |
run: | | |
apt install --no-install-recommends -y ./libdigidocpp-pkg/*$(lsb_release -rs)*.deb | |
rm -rf libdigidocpp-pkg | |
- name: Setup changelog | |
run: | | |
export VERSION=$(grep project CMakeLists.txt | egrep -o "([0-9]{1,}\.)+[0-9]{1,}") | |
export VERSIONEX=${VERSION}.${BUILD_NUMBER}.$(lsb_release -rs) | |
dch --distribution $(lsb_release -cs) -v ${VERSIONEX} "Release ${VERSIONEX}." | |
- name: Build packages | |
run: | | |
dpkg-buildpackage -us -uc | |
mv ../qdigidoc4*.* . | |
- name: Lintian | |
run: lintian *.deb; | |
- name: Archive artifacts | |
uses: actions/upload-artifact@v3 | |
with: | |
name: debs | |
path: qdigidoc4*.* | |
fedora: | |
name: Build on Fedora to ${{ matrix.container }} | |
runs-on: ubuntu-latest | |
container: ${{ matrix.container }} | |
strategy: | |
matrix: | |
container: ['fedora:37', 'fedora:38'] | |
env: | |
MAKEFLAGS: -j3 | |
steps: | |
- name: Install Deps | |
run: dnf install -y git gcc-c++ cmake rpm-build gettext openssl-devel openldap-devel pcsc-lite-devel qt6-qtsvg-devel qt6-qttools-devel qt6-qt5compat-devel flatbuffers-devel flatbuffers-compiler zlib-devel | |
- name: Checkout | |
uses: actions/checkout@v3 | |
with: | |
submodules: recursive | |
- name: Download artifact | |
uses: dawidd6/action-download-artifact@v2 | |
with: | |
workflow: build.yml | |
branch: master | |
name: rpms | |
path: libdigidocpp-pkg | |
repo: open-eid/libdigidocpp | |
- name: Install artifact | |
run: | | |
. /etc/os-release | |
dnf install -y ./libdigidocpp-pkg/*fc${VERSION_ID}*.rpm | |
- name: Build | |
run: | | |
cmake -DCMAKE_INSTALL_PREFIX=/usr -B build -S . | |
cmake --build build --target all package | |
- name: Archive artifacts | |
uses: actions/upload-artifact@v3 | |
with: | |
name: rpms | |
path: build/qdigidoc4*.rpm | |
windows: | |
name: Build on Windows | |
runs-on: ${{ matrix.image }} | |
strategy: | |
matrix: | |
vcver: [142, 143] | |
include: | |
- vcver: 142 | |
image: windows-2019 | |
- vcver: 143 | |
image: windows-2022 | |
env: | |
VER_SUFFIX: .VS${{ matrix.vcver }} | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v3 | |
with: | |
submodules: recursive | |
- name: Download artifact | |
uses: dawidd6/action-download-artifact@v2 | |
with: | |
workflow: build.yml | |
branch: master | |
name: msi | |
path: ./ | |
repo: open-eid/libdigidocpp | |
- name: Install artifact | |
run: | | |
Rename-Item "libdigidocpp*VS${{ matrix.vcver }}.msi" libdigidocpp.msi | |
msiexec /qn /a libdigidocpp.msi "TARGETDIR=$($pwd.Path)\\libs" | |
- name: Prepare vcpkg | |
uses: lukka/run-vcpkg@v7 | |
with: | |
vcpkgArguments: openssl zlib flatbuffers | |
vcpkgGitCommitId: 6a349fe1fbea1e5fcda2e0775f555d829a5e82df | |
vcpkgTriplet: x64-windows | |
- name: Install Qt | |
uses: jurplel/install-qt-action@v3 | |
with: | |
version: 6.5.2 | |
arch: win64_msvc2019_64 | |
modules: qt5compat | |
- name: Setup dev env | |
uses: ilammy/msvc-dev-cmd@v1 | |
with: | |
arch: x64 | |
sdk: 10.0.19041.0 | |
- name: Build | |
run: | | |
md build/client | |
copy ${{ env.RUNVCPKG_VCPKG_ROOT }}\installed\x64-windows\bin\*.dll build\client\ | |
cmake "-GNinja" -DCMAKE_BUILD_TYPE=RelWithDebInfo ` | |
-DCMAKE_TOOLCHAIN_FILE=${{ env.RUNVCPKG_VCPKG_ROOT }}/scripts/buildsystems/vcpkg.cmake ` | |
"-DLIBDIGIDOCPP_LIBRARY=libs/libdigidocpp/x64/digidocpp.lib" ` | |
"-DLIBDIGIDOCPP_INCLUDE_DIR=libs/libdigidocpp/include" -B build -S . | |
cmake --build build --target msi | |
cmake --build build --target appx | |
- name: Archive artifacts | |
uses: actions/upload-artifact@v3 | |
with: | |
name: msi | |
path: | | |
build/*.msi | |
build/*.appx | |
coverity: | |
name: Run Coverity tests | |
if: github.repository == 'open-eid/DigiDoc4-Client' && contains(github.ref, 'coverity_scan') | |
runs-on: ubuntu-22.04 | |
env: | |
TOKEN: ${{ secrets.COVERITY_SCAN_TOKEN }} | |
PROJECTNAME: open-eid/DigiDoc4-Client | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v3 | |
with: | |
submodules: recursive | |
- name: Install dependencies | |
run: sudo apt update -qq && sudo apt install --no-install-recommends -y cmake libldap2-dev gettext libpcsclite-dev libminizip-dev libxml-security-c-dev libgl-dev libqt6svg6-dev qt6-tools-dev qt6-tools-dev-tools qt6-l10n-tools libqt6core5compat6-dev libflatbuffers-dev zlib1g-dev | |
- name: Download artifact | |
uses: dawidd6/action-download-artifact@v2 | |
with: | |
workflow: build.yml | |
branch: master | |
name: debs | |
path: libdigidocpp-pkg | |
repo: open-eid/libdigidocpp | |
- name: Install artifact | |
run: sudo dpkg -i libdigidocpp-pkg/*$(lsb_release -rs)*.deb | |
- name: Download Coverity Build Tool | |
run: | | |
curl -s -d "token=$TOKEN&project=$PROJECTNAME" -o cov-analysis-linux64.tar.gz https://scan.coverity.com/download/cxx/linux64 | |
mkdir cov-analysis-linux64 | |
tar xzf cov-analysis-linux64.tar.gz --strip 1 -C cov-analysis-linux64 | |
- name: Build | |
run: | | |
cmake . | |
export PATH=$PWD/cov-analysis-linux64/bin:$PATH | |
cov-build --dir cov-int make | |
- name: Submit the result to Coverity Scan | |
run: | | |
tar czvf upload.tgz cov-int | |
curl -s \ | |
-F project=$PROJECTNAME \ | |
-F token=$TOKEN \ | |
-F email=eid-teenusehaldus@ria.ee \ | |
-F file=@upload.tgz \ | |
-F version=master \ | |
-F description="Github Actions CI build" \ | |
https://scan.coverity.com/builds?project=$PROJECTNAME | |
codeql: | |
name: Run CodeQL tests | |
if: github.repository == 'open-eid/DigiDoc4-Client' | |
runs-on: ubuntu-22.04 | |
permissions: | |
security-events: write | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v3 | |
with: | |
submodules: recursive | |
- name: Install dependencies | |
run: sudo apt update -qq && sudo apt install --no-install-recommends -y cmake libldap2-dev gettext libpcsclite-dev libminizip-dev libxml-security-c-dev libgl-dev libqt6svg6-dev qt6-tools-dev qt6-tools-dev-tools qt6-l10n-tools libqt6core5compat6-dev libflatbuffers-dev zlib1g-dev | |
- name: Download artifact | |
uses: dawidd6/action-download-artifact@v2 | |
with: | |
workflow: build.yml | |
branch: master | |
name: debs | |
path: libdigidocpp-pkg | |
repo: open-eid/libdigidocpp | |
- name: Install artifact | |
run: sudo dpkg -i libdigidocpp-pkg/*$(lsb_release -rs)*.deb | |
- name: Initialize CodeQL | |
uses: github/codeql-action/init@v2 | |
with: | |
languages: cpp | |
queries: +security-and-quality | |
- name: Autobuild | |
uses: github/codeql-action/autobuild@v2 | |
- name: Perform CodeQL Analysis | |
uses: github/codeql-action/analyze@v2 | |
with: | |
upload: False | |
output: sarif-results | |
- name: Filter results | |
uses: advanced-security/filter-sarif@develop | |
with: | |
patterns: | | |
-**/*autogen*/** | |
-**/common/qtsingleapplication/** | |
-**:cpp/loop-variable-changed | |
-**:cpp/poorly-documented-function | |
input: sarif-results/cpp.sarif | |
output: sarif-results/cpp.sarif | |
- name: Upload results | |
uses: github/codeql-action/upload-sarif@v2 | |
with: | |
sarif_file: sarif-results/cpp.sarif |