CodeQL #11
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# For most projects, this workflow file will not need changing; you simply need | |
# to commit it to your repository. | |
# | |
# You may wish to alter this file to override the set of languages analyzed, | |
# or to provide custom queries or build logic. | |
name: "CodeQL" | |
on: | |
push: | |
branches: [development, main] | |
schedule: | |
- cron: '0 7 * * 3' | |
workflow_dispatch: | |
jobs: | |
analyze: | |
name: ${{matrix.buildname}} | |
runs-on: ubuntu-latest | |
permissions: | |
security-events: write | |
strategy: | |
fail-fast: false | |
matrix: | |
include: | |
- language: cpp | |
buildname: 'CodeQL' | |
qt: '5.14.1' | |
triplet: x64-linux | |
compiler: gcc_64 | |
# We need a gcc and it ain't always the same one: | |
gcc_compiler_version: 9 | |
os: ubuntu-latest | |
env: | |
BOOST_ROOT: ${{github.workspace}}/3rdparty/boost | |
BOOST_URL: https://sourceforge.net/projects/boost/files/boost/1.83.0/boost_1_83_0.tar.bz2/download | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@v4 | |
with: | |
# We must fetch at least the immediate parents so that if this is | |
# a pull request then we can checkout the head. | |
fetch-depth: 2 | |
submodules: true | |
- name: (Windows) Install Qt | |
uses: jurplel/install-qt-action@v3 | |
if: runner.os == 'Windows' | |
with: | |
version: ${{matrix.qt}} | |
dir: ${{runner.workspace}} | |
arch: win64_mingw73 | |
cache: true | |
- name: (Linux/macOS) Install Qt | |
uses: jurplel/install-qt-action@v3 | |
if: runner.os == 'Linux' || runner.os == 'macOS' | |
with: | |
version: ${{matrix.qt}} | |
dir: ${{runner.workspace}} | |
cache: true | |
- name: Restore Boost cache | |
uses: actions/cache@v4 | |
id: cache-boost | |
with: | |
path: ${{env.BOOST_ROOT}} | |
key: boost | |
- name: Install Boost | |
if: steps.cache-boost.outputs.cache-hit != 'true' | |
run: | | |
if [ "$OS" == "Windows_NT" ]; then | |
# fix up paths to be forward slashes consistently | |
BOOST_ROOT=$(echo $BOOST_ROOT | sed 's/\\/\//g') | |
fi | |
mkdir -p $BOOST_ROOT | |
curl --progress-bar --location --output $BOOST_ROOT/download.tar.bz2 $BOOST_URL | |
7z -o$BOOST_ROOT x $BOOST_ROOT/download.tar.bz2 -y -bd | |
7z -o$BOOST_ROOT x $BOOST_ROOT/download.tar -y -bd | |
cd $BOOST_ROOT && cp -r boost_*/* . | |
rm -rf boost_*/* download.tar.bz2 download.tar | |
shell: bash | |
# Initializes the CodeQL tools for scanning. | |
- name: Initialize CodeQL | |
uses: github/codeql-action/init@v3 | |
with: | |
config-file: ./.github/codeql/codeql-config.yml | |
languages: ${{ matrix.language }} | |
# If you wish to specify custom queries, you can do so here or in a config file. | |
# By default, queries listed here will override any specified in a config file. | |
# Prefix the list here with "+" to use these queries and those in the config file. | |
queries: security-extended, security-and-quality | |
# workaround a poor interaction between github actions/cmake/vcpkg, see https://github.com/lukka/run-vcpkg/issues/88#issuecomment-885758902 | |
- name: Use CMake 3.20.1 | |
uses: lukka/[email protected] | |
- name: (Linux) Install non-vcpkg dependencies (1/2) | |
if: runner.os == 'Linux' | |
run: | | |
# dependencies needed for vcpkg specifically | |
sudo apt-get install gettext -y | |
- name: Restore from cache and run vcpkg | |
uses: lukka/run-vcpkg@v7 | |
env: | |
vcpkgResponseFile: ${{github.workspace}}/3rdparty/our-vcpkg-dependencies/vcpkg-${{matrix.triplet}}-dependencies | |
with: | |
vcpkgArguments: '@${{env.vcpkgResponseFile}}' | |
vcpkgDirectory: '${{github.workspace}}/3rdparty/vcpkg' | |
appendedCacheKey: ${{hashFiles(env.vcpkgResponseFile)}}-cachekey | |
- name: (Linux) Install non-vcpkg dependencies (2/2) | |
if: runner.os == 'Linux' | |
run: | | |
# Install from vcpkg everything we can for cross-platform consistency | |
# If not available, use other methods | |
sudo apt-get install ccache pkg-config pcregrep luarocks expect libzip-dev libglu1-mesa-dev libpulse-dev g++-${{matrix.gcc_compiler_version}} -y | |
# switch to GCC that supports C++17 while retaining support for older OS's | |
sudo update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-${{matrix.gcc_compiler_version}} ${{matrix.gcc_compiler_version}} | |
sudo update-alternatives --install /usr/bin/g++ g++ /usr/bin/g++-${{matrix.gcc_compiler_version}} ${{matrix.gcc_compiler_version}} | |
sudo update-alternatives --set gcc /usr/bin/gcc-${{matrix.gcc_compiler_version}} | |
sudo update-alternatives --set g++ /usr/bin/g++-${{matrix.gcc_compiler_version}} | |
echo "CCACHE_DIR=${{runner.workspace}}/ccache" >> $GITHUB_ENV | |
# Install lua-yajl early to generate translation statistics | |
export PATH="${{env.VCPKG_ROOT}}/installed/${{matrix.triplet}}/tools/lua:$PATH" | |
# workaround https://github.com/lloyd/yajl/issues/209 | |
mv ${{env.VCPKG_ROOT}}/installed/${{matrix.triplet}}/lib/libyajl_s.a ${{env.VCPKG_ROOT}}/installed/${{matrix.triplet}}/lib/libyajl.a | |
mv ${{env.VCPKG_ROOT}}/installed/${{matrix.triplet}}/debug/lib/libyajl_s.a ${{env.VCPKG_ROOT}}/installed/${{matrix.triplet}}/debug/lib/libyajl.a | |
# Rock locations search is hardcoded to -L/usr/local/lib and not adjustable | |
export LIBRARY_PATH="${{env.VCPKG_ROOT}}/installed/${{matrix.triplet}}/lib:$LIBRARY_PATH" | |
# LUA_INCDIR needs to be passed as well due to https://github.com/luarocks/luarocks/issues/1239 | |
luarocks install YAJL_INCDIR="${{env.VCPKG_ROOT}}/installed/${{matrix.triplet}}/include" YAJL_LIBDIR="${{env.VCPKG_ROOT}}/installed/${{matrix.triplet}}/lib" LUA_INCDIR="${{env.VCPKG_ROOT}}/installed/${{matrix.triplet}}/include" --local lua-yajl | |
# Allow stats generation script to see location of lua-yajl | |
eval "$(luarocks path --local --lua-version "5.1")" | |
echo "LUA_PATH=$LUA_PATH" >> $GITHUB_ENV | |
echo "LUA_CPATH=$LUA_CPATH" >> $GITHUB_ENV | |
- name: (Linux/macOS) Set build info | |
if: runner.os == 'Linux' || runner.os == 'macOS' | |
run: | | |
${{github.workspace}}/CI/travis.validate_deployment.sh | |
${{github.workspace}}/CI/travis.set-build-info.sh | |
- name: Build Mudlet | |
uses: lukka/run-cmake@v3 | |
with: | |
cmakeListsOrSettingsJson: CMakeListsTxtAdvanced | |
cmakeListsTxtPath: '${{github.workspace}}/CMakeLists.txt' | |
useVcpkgToolchainFile: true | |
buildDirectory: '${{runner.workspace}}/b/ninja' | |
cmakeAppendedArgs: >- | |
-G Ninja | |
-DCMAKE_PREFIX_PATH=${{env.MINGW_BASE_DIR}} | |
-DVCPKG_APPLOCAL_DEPS=OFF | |
env: | |
NINJA_STATUS: '[%f/%t %o/sec] ' | |
- name: Perform CodeQL Analysis | |
uses: github/codeql-action/analyze@v3 | |
with: | |
category: "/language:${{ matrix.language }}" | |
upload: false | |
output: sarif-results | |
- name: Filter out 3rdparty dependencies | |
uses: advanced-security/filter-sarif@v1 | |
with: | |
patterns: | | |
-3rdparty/** | |
input: sarif-results/${{ matrix.language }}.sarif | |
output: sarif-results/${{ matrix.language }}.sarif | |
- name: Upload SARIF | |
uses: github/codeql-action/upload-sarif@v3 | |
with: | |
sarif_file: sarif-results/${{ matrix.language }}.sarif |