forked from Mudlet/Mudlet
-
Notifications
You must be signed in to change notification settings - Fork 0
187 lines (162 loc) · 7.29 KB
/
codeql-analysis.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
# For most projects, this workflow file will not need changing; you simply need
# to commit it to your repository.
#
# You may wish to alter this file to override the set of languages analyzed,
# or to provide custom queries or build logic.
name: "CodeQL"
on:
push:
branches: [development, main]
schedule:
- cron: '0 7 * * 3'
workflow_dispatch:
jobs:
analyze:
name: ${{matrix.buildname}}
runs-on: ubuntu-latest
permissions:
security-events: write
strategy:
fail-fast: false
matrix:
include:
- language: cpp
buildname: 'CodeQL'
qt: '5.14.1'
triplet: x64-linux
compiler: gcc_64
# We need a gcc and it ain't always the same one:
gcc_compiler_version: 9
os: ubuntu-latest
env:
BOOST_ROOT: ${{github.workspace}}/3rdparty/boost
BOOST_URL: https://sourceforge.net/projects/boost/files/boost/1.83.0/boost_1_83_0.tar.bz2/download
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
# We must fetch at least the immediate parents so that if this is
# a pull request then we can checkout the head.
fetch-depth: 2
submodules: true
- name: (Windows) Install Qt
uses: jurplel/install-qt-action@v3
if: runner.os == 'Windows'
with:
version: ${{matrix.qt}}
dir: ${{runner.workspace}}
arch: win64_mingw73
cache: true
- name: (Linux/macOS) Install Qt
uses: jurplel/install-qt-action@v3
if: runner.os == 'Linux' || runner.os == 'macOS'
with:
version: ${{matrix.qt}}
dir: ${{runner.workspace}}
cache: true
- name: Restore Boost cache
uses: actions/cache@v4
id: cache-boost
with:
path: ${{env.BOOST_ROOT}}
key: boost
- name: Install Boost
if: steps.cache-boost.outputs.cache-hit != 'true'
run: |
if [ "$OS" == "Windows_NT" ]; then
# fix up paths to be forward slashes consistently
BOOST_ROOT=$(echo $BOOST_ROOT | sed 's/\\/\//g')
fi
mkdir -p $BOOST_ROOT
curl --progress-bar --location --output $BOOST_ROOT/download.tar.bz2 $BOOST_URL
7z -o$BOOST_ROOT x $BOOST_ROOT/download.tar.bz2 -y -bd
7z -o$BOOST_ROOT x $BOOST_ROOT/download.tar -y -bd
cd $BOOST_ROOT && cp -r boost_*/* .
rm -rf boost_*/* download.tar.bz2 download.tar
shell: bash
# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
config-file: ./.github/codeql/codeql-config.yml
languages: ${{ matrix.language }}
# If you wish to specify custom queries, you can do so here or in a config file.
# By default, queries listed here will override any specified in a config file.
# Prefix the list here with "+" to use these queries and those in the config file.
queries: security-extended, security-and-quality
# workaround a poor interaction between github actions/cmake/vcpkg, see https://github.com/lukka/run-vcpkg/issues/88#issuecomment-885758902
- name: Use CMake 3.20.1
uses: lukka/[email protected]
- name: (Linux) Install non-vcpkg dependencies (1/2)
if: runner.os == 'Linux'
run: |
# dependencies needed for vcpkg specifically
sudo apt-get install gettext -y
- name: Restore from cache and run vcpkg
uses: lukka/run-vcpkg@v7
env:
vcpkgResponseFile: ${{github.workspace}}/3rdparty/our-vcpkg-dependencies/vcpkg-${{matrix.triplet}}-dependencies
with:
vcpkgArguments: '@${{env.vcpkgResponseFile}}'
vcpkgDirectory: '${{github.workspace}}/3rdparty/vcpkg'
appendedCacheKey: ${{hashFiles(env.vcpkgResponseFile)}}-cachekey
- name: (Linux) Install non-vcpkg dependencies (2/2)
if: runner.os == 'Linux'
run: |
# Install from vcpkg everything we can for cross-platform consistency
# If not available, use other methods
sudo apt-get install ccache pkg-config pcregrep luarocks expect libzip-dev libglu1-mesa-dev libpulse-dev g++-${{matrix.gcc_compiler_version}} -y
# switch to GCC that supports C++17 while retaining support for older OS's
sudo update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-${{matrix.gcc_compiler_version}} ${{matrix.gcc_compiler_version}}
sudo update-alternatives --install /usr/bin/g++ g++ /usr/bin/g++-${{matrix.gcc_compiler_version}} ${{matrix.gcc_compiler_version}}
sudo update-alternatives --set gcc /usr/bin/gcc-${{matrix.gcc_compiler_version}}
sudo update-alternatives --set g++ /usr/bin/g++-${{matrix.gcc_compiler_version}}
echo "CCACHE_DIR=${{runner.workspace}}/ccache" >> $GITHUB_ENV
# Install lua-yajl early to generate translation statistics
export PATH="${{env.VCPKG_ROOT}}/installed/${{matrix.triplet}}/tools/lua:$PATH"
# workaround https://github.com/lloyd/yajl/issues/209
mv ${{env.VCPKG_ROOT}}/installed/${{matrix.triplet}}/lib/libyajl_s.a ${{env.VCPKG_ROOT}}/installed/${{matrix.triplet}}/lib/libyajl.a
mv ${{env.VCPKG_ROOT}}/installed/${{matrix.triplet}}/debug/lib/libyajl_s.a ${{env.VCPKG_ROOT}}/installed/${{matrix.triplet}}/debug/lib/libyajl.a
# Rock locations search is hardcoded to -L/usr/local/lib and not adjustable
export LIBRARY_PATH="${{env.VCPKG_ROOT}}/installed/${{matrix.triplet}}/lib:$LIBRARY_PATH"
# LUA_INCDIR needs to be passed as well due to https://github.com/luarocks/luarocks/issues/1239
luarocks install YAJL_INCDIR="${{env.VCPKG_ROOT}}/installed/${{matrix.triplet}}/include" YAJL_LIBDIR="${{env.VCPKG_ROOT}}/installed/${{matrix.triplet}}/lib" LUA_INCDIR="${{env.VCPKG_ROOT}}/installed/${{matrix.triplet}}/include" --local lua-yajl
# Allow stats generation script to see location of lua-yajl
eval "$(luarocks path --local --lua-version "5.1")"
echo "LUA_PATH=$LUA_PATH" >> $GITHUB_ENV
echo "LUA_CPATH=$LUA_CPATH" >> $GITHUB_ENV
- name: (Linux/macOS) Set build info
if: runner.os == 'Linux' || runner.os == 'macOS'
run: |
${{github.workspace}}/CI/travis.validate_deployment.sh
${{github.workspace}}/CI/travis.set-build-info.sh
- name: Build Mudlet
uses: lukka/run-cmake@v3
with:
cmakeListsOrSettingsJson: CMakeListsTxtAdvanced
cmakeListsTxtPath: '${{github.workspace}}/CMakeLists.txt'
useVcpkgToolchainFile: true
buildDirectory: '${{runner.workspace}}/b/ninja'
cmakeAppendedArgs: >-
-G Ninja
-DCMAKE_PREFIX_PATH=${{env.MINGW_BASE_DIR}}
-DVCPKG_APPLOCAL_DEPS=OFF
env:
NINJA_STATUS: '[%f/%t %o/sec] '
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
with:
category: "/language:${{ matrix.language }}"
upload: false
output: sarif-results
- name: Filter out 3rdparty dependencies
uses: advanced-security/filter-sarif@v1
with:
patterns: |
-3rdparty/**
input: sarif-results/${{ matrix.language }}.sarif
output: sarif-results/${{ matrix.language }}.sarif
- name: Upload SARIF
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: sarif-results/${{ matrix.language }}.sarif