Permalink
Cannot retrieve contributors at this time
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
codeql-action/.github/workflows/codeql.yml
View runs Go to fileThis commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: "CodeQL action" | |
| on: | |
| push: | |
| branches: [main, releases/v*] | |
| pull_request: | |
| branches: [main, releases/v*] | |
| # Run checks on reopened draft PRs to support triggering PR checks on draft PRs that were opened | |
| # by other workflows. | |
| types: [opened, synchronize, reopened, ready_for_review] | |
| schedule: | |
| # Weekly on Sunday. | |
| - cron: '30 1 * * 0' | |
| workflow_dispatch: | |
| env: | |
| CODEQL_ACTION_TESTING_ENVIRONMENT: codeql-action-pr-checks | |
| jobs: | |
| # Identify the CodeQL tool versions to use in the analysis job. | |
| check-codeql-versions: | |
| runs-on: ubuntu-latest | |
| outputs: | |
| versions: ${{ steps.compare.outputs.versions }} | |
| permissions: | |
| security-events: write | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Init with default CodeQL bundle from the VM image | |
| id: init-default | |
| uses: ./init | |
| with: | |
| languages: javascript | |
| - name: Remove empty database | |
| # allows us to run init a second time | |
| run: | | |
| rm -rf "$RUNNER_TEMP/codeql_databases" | |
| - name: Init with latest CodeQL bundle | |
| id: init-latest | |
| uses: ./init | |
| with: | |
| tools: latest | |
| languages: javascript | |
| - name: Compare default and latest CodeQL bundle versions | |
| id: compare | |
| env: | |
| CODEQL_DEFAULT: ${{ steps.init-default.outputs.codeql-path }} | |
| CODEQL_LATEST: ${{ steps.init-latest.outputs.codeql-path }} | |
| run: | | |
| CODEQL_VERSION_DEFAULT="$("$CODEQL_DEFAULT" version --format terse)" | |
| CODEQL_VERSION_LATEST="$("$CODEQL_LATEST" version --format terse)" | |
| echo "Default CodeQL bundle version is $CODEQL_VERSION_DEFAULT" | |
| echo "Latest CodeQL bundle version is $CODEQL_VERSION_LATEST" | |
| # If we're running on a pull request, run with both bundles, even if `tools: latest` would | |
| # be the same as `tools: null`. This allows us to make the job for each of the bundles a | |
| # required status check. | |
| # | |
| # If we're running on push or schedule, then we can skip running with `tools: latest` when it would be | |
| # the same as running with `tools: null`. | |
| if [[ "$GITHUB_EVENT_NAME" != "pull_request" && "$CODEQL_VERSION_DEFAULT" == "$CODEQL_VERSION_LATEST" ]]; then | |
| VERSIONS_JSON='[null]' | |
| else | |
| VERSIONS_JSON='[null, "latest"]' | |
| fi | |
| # Output a JSON-encoded list with the distinct versions to test against. | |
| echo "Suggested matrix config for analysis job: $VERSIONS_JSON" | |
| echo "versions=${VERSIONS_JSON}" >> $GITHUB_OUTPUT | |
| build: | |
| needs: [check-codeql-versions] | |
| strategy: | |
| matrix: | |
| os: [ubuntu-20.04,ubuntu-22.04,windows-2019,windows-2022,macos-11,macos-12,macos-13] | |
| tools: ${{ fromJson(needs.check-codeql-versions.outputs.versions) }} | |
| runs-on: ${{ matrix.os }} | |
| permissions: | |
| security-events: write | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Initialize CodeQL | |
| uses: ./init | |
| id: init | |
| with: | |
| languages: javascript | |
| config-file: ./.github/codeql/codeql-config.yml | |
| tools: ${{ matrix.tools }} | |
| # confirm steps.init.outputs.codeql-path points to the codeql binary | |
| - name: Print CodeQL Version | |
| run: ${{steps.init.outputs.codeql-path}} version --format=json | |
| - name: Perform CodeQL Analysis | |
| uses: ./analyze |