key only #502
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: "CodeQL" | |
on: | |
push: | |
branches: [develop, main] | |
pull_request: | |
branches: [develop] | |
schedule: | |
- cron: '34 10 * * 4' | |
permissions: {} | |
jobs: | |
CodeQL-Build: | |
permissions: | |
actions: read # for github/codeql-action/init to get workflow details | |
contents: read # for actions/checkout to fetch code | |
security-events: write # for github/codeql-action/analyze to upload SARIF results | |
runs-on: ubuntu-latest | |
strategy: | |
fail-fast: false | |
matrix: | |
# Override automatic language detection by changing the below list | |
# Supported options are ['csharp', 'cpp', 'go', 'java', 'javascript', 'python'] | |
language: ['java', 'javascript'] | |
# Learn more... | |
# https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#overriding-automatic-language-detection | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@v4 | |
# Checkout must run before the caching key is computed using the `hashFiles` method | |
- name: Cache Gradle Modules | |
uses: actions/cache@v4 | |
with: | |
path: | | |
~/.gradle/caches/modules-2/ | |
~/.gradle/caches/build-cache-1/ | |
~/.gradle/caches/signatures/ | |
~/.gradle/caches/keyrings/ | |
key: ${{ runner.os }}-gradle-cache-${{ hashFiles('gradle/wrapper/gradle-wrapper.properties') }} | |
if: ${{ matrix.language == 'java' }} | |
- name: Disable checksum offloading | |
# See: https://github.com/actions/virtual-environments/issues/1187#issuecomment-686735760 | |
run: sudo ethtool -K eth0 tx off rx off | |
# Install and setup JDK 17 | |
- name: Setup JDK 17 | |
uses: actions/setup-java@v4 | |
with: | |
distribution: temurin | |
java-version: 17 | |
# Initializes the CodeQL tools for scanning. | |
- name: Initialize CodeQL | |
uses: github/codeql-action/init@v3 | |
with: | |
languages: ${{ matrix.language }} | |
tools: latest | |
# If you wish to specify custom queries, you can do so here or in a config file. | |
# By default, queries listed here will override any specified in a config file. | |
# Prefix the list here with "+" to use these queries and those in the config file. | |
# queries: ./path/to/local/query, your-org/your-repo/queries@main | |
- name: Compile with Gradle with Build Scan | |
if: ${{ matrix.language == 'java' && github.repository_owner == 'gradle' }} | |
run: ./gradlew --init-script .github/workflows/codeql-analysis.init.gradle -DcacheNode=us -S testClasses -Dhttp.keepAlive=false | |
env: | |
# Set the DEVELOCITY_ACCESS_KEY so that Gradle Build Scans are generated | |
DEVELOCITY_ACCESS_KEY: ${{ secrets.DEVELOCITY_ACCESS_KEY }} | |
# Potential stop-gap solution for ReadTimeout issues with the Gradle Build Cache | |
# https://gradle.slack.com/archives/CHDLT99C6/p1636477584059200 | |
GRADLE_OPTS: -Dhttp.keepAlive=false | |
ORG_GRADLE_PROJECT_signingKey: ${{ secrets.GPG_PRIVATE_KEY }} | |
ORG_GRADLE_PROJECT_signingKeyId: ${{ secrets.GPG_PRIVATE_KEY_ID }} | |
ORG_GRADLE_PROJECT_signingPassword: ${{ secrets.GPG_PASSPHRASE }} | |
ORG_GRADLE_PROJECT_sonatypeUsername: ${{ secrets.NEXUS_USERNAME }} | |
ORG_GRADLE_PROJECT_sonatypePassword: ${{ secrets.NEXUS_PASSWORD }} | |
- name: Compile with Gradle without Build Scan | |
if: ${{ matrix.language == 'java' && github.repository_owner != 'gradle' }} | |
run: ./gradlew --init-script .github/workflows/codeql-analysis.init.gradle -S testClasses | |
- name: Cleanup Gradle Daemons | |
run: ./gradlew --stop | |
if: ${{ matrix.language == 'java' }} | |
# ℹ️ Command-line programs to run using the OS shell. | |
# 📚 https://git.io/JvXDl | |
# ✏️ If the Autobuild fails above, remove it and uncomment the following three lines | |
# and modify them (or add more) to build your code if your project | |
# uses a compiled language | |
#- run: | | |
# make bootstrap | |
# make release | |
- name: Perform CodeQL Analysis | |
uses: github/codeql-action/analyze@v3 | |
with: | |
config-file: ./.github/codeql/codeql-config.yml | |
- name: Cleanup Gradle Cache | |
# Cleans up the Gradle caches before being cached | |
run: | | |
rm -f ~/.gradle/caches/modules-2/modules-2.lock | |
rm -f ~/.gradle/caches/modules-2/gc.properties | |
if: ${{ matrix.language == 'java' }} |