-
Notifications
You must be signed in to change notification settings - Fork 3
159 lines (144 loc) · 5.29 KB
/
codeql.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
# For most projects, this workflow file will not need changing; you simply need
# to commit it to your repository.
#
# You may wish to alter this file to override the set of languages analyzed,
# or to provide custom queries or build logic.
#
# ******** NOTE ********
# We have attempted to detect the languages in your repository. Please check
# the `language` matrix defined below to confirm you have the correct set of
# supported CodeQL languages.
# TODO: Add support for handling multiple languages in the CodeQL workflow
name: "CodeQL"
on:
workflow_call:
inputs:
languages:
description: 'Languages to analyze'
required: false
default: '["java"]'
type: string
extraCommand:
description: 'Specify it if you want to run an extra command before attaching the artifact'
required: false
default: ''
type: string
buildCommand:
description: 'Custom build command'
required: false
default: ''
type: string
jobs:
analyze:
name: Analyze
runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }}
timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }}
permissions:
actions: read
contents: read
security-events: write
strategy:
fail-fast: false
matrix:
language: ${{fromJson(inputs.languages)}}
# CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby', 'swift' ]
# Use only 'java' to analyze code written in Java, Kotlin or both
# Use only 'javascript' to analyze code written in JavaScript, TypeScript or both
# Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
steps:
- name: Checkout repository
uses: actions/checkout@v4
# setting a build mode based on whether a buildCommand is provided or not.
# If a buildCommand is provided, it sets the build mode to "manual"; otherwise, it sets it to "autobuild".
- name: set build mode
id: set-build-mode
run: |
if [[ -n "${{ inputs.buildCommand }}" ]]
then
echo "Build command is provided. Setting buildMode to manual"
buildMode='manual'
else
echo "Build command is not provided. Setting buildMode to autobuild"
buildMode='autobuild'
fi
echo "buildMode=$buildMode" >> $GITHUB_OUTPUT
# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: ${{ matrix.language }}
build-mode: ${{ steps.set-build-mode.outputs.buildMode }}
# If you wish to specify custom queries, you can do so here or in a config file.
# By default, queries listed here will override any specified in a config file.
# Prefix the list here with "+" to use these queries and those in the config file.
# For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
queries: security-extended,security-and-quality
- name: Setup JDK
if: matrix.language == 'java'
uses: actions/setup-java@v4
with:
java-version: '17'
distribution: 'temurin'
cache: 'maven'
- name: Run extra command
if: inputs.extraCommand != ''
run: |
${{ inputs.extraCommand }}
- name: Set up Maven
if: matrix.language == 'java'
uses: stCarolas/setup-maven@v4.5
with:
maven-version: "3.9.5"
# look for dependencies in maven
- name: maven-settings-xml-action
if: matrix.language == 'java'
uses: whelk-io/maven-settings-xml-action@v21
with:
repositories: |
[
{
"id": "liquibase",
"url": "https://maven.pkg.github.com/liquibase/liquibase",
"releases": {
"enabled": "true"
},
"snapshots": {
"enabled": "true",
"updatePolicy": "always"
}
},
{
"id": "liquibase-pro",
"url": "https://maven.pkg.github.com/liquibase/liquibase-pro",
"releases": {
"enabled": "true"
},
"snapshots": {
"enabled": "true",
"updatePolicy": "always"
}
}
]
servers: |
[
{
"id": "liquibase-pro",
"username": "liquibot",
"password": "${{ secrets.LIQUIBOT_PAT }}"
},
{
"id": "liquibase",
"username": "liquibot",
"password": "${{ secrets.LIQUIBOT_PAT }}"
}
]
# users can specify the custom build command via the buildCommand input.
# If no custom command is provided, it will be 'autobuild' by codeql in step set-build-mode .
- name: Build
if: steps.set-build-mode.outputs.buildMode == 'manual'
run: |
${{ inputs.buildCommand }}
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
with:
category: "/language:${{matrix.language}}"