Skip to content
This repository has been archived by the owner on Sep 15, 2024. It is now read-only.

CI: CodeQL Unit Testing Advanced #857

CI: CodeQL Unit Testing Advanced

CI: CodeQL Unit Testing Advanced #857

Workflow file for this run

############################
# Author : H0llyW00dzZ #
############################
name: "CI: CodeQL Unit Testing Advanced"
on:
push:
# modify this branch
branches:
- main
paths-ignore:
- '**.md'
- '.github/workflows/**'
pull_request:
branches:
- main
paths-ignore:
- '**.md'
- '.github/workflows/**'
types: [opened, reopened, synchronize]
schedule:
- cron: '0 0 * * *'
# allows you to run this workflow manually
# Adding an `inputs` section to the `workflow_dispatch` event to define a new input parameter called `branch`
workflow_dispatch:
inputs:
branch:
description: 'Branch to scan'
required: true
default: 'main'
jobs:
analyze:
name: Analyze
runs-on: ${{ matrix.language == 'swift' && 'macos-latest' || 'ubuntu-latest' }}
timeout-minutes: ${{ matrix.language == 'swift' && 120 || 360 }}
permissions:
actions: read
contents: read
pull-requests: write
deployments: read
security-events: write
strategy:
fail-fast: false
matrix:
# this can be modified example if your repo is only python then remove 'javascript', 'go'
language: ['javascript-typescript']
steps:
- name: Checkout repository
uses: actions/checkout@v3
with:
ref: ${{ github.event.inputs.branch }}
- name: Detect repository language
id: detect-language
run: |
echo "languages=${{ matrix.language }}" >> $GITHUB_ENV
echo "fileExists=true" >> $GITHUB_ENV
- name: Set up Python
if: ${{ matrix.language == 'python' }}
uses: actions/setup-python@v4
with:
python-version: '3.x'
env:
NODE_VERSION: 18
- name: Install Python dependencies
if: ${{ matrix.language == 'python' && matrix.fileExists }}
run: python -m pip install --upgrade pip && pip install -r requirements.txt
- name: Set up JavaScript/TypeScript
if: ${{ matrix.language == 'javascript-typescript' }}
uses: actions/setup-node@v4
with:
node-version: '18'
- name: Install JavaScript/TypeScript dependencies
if: ${{ matrix.language == 'javascript-typescript' && matrix.fileExists }}
run: npm ci
- name: Set up Go
if: ${{ matrix.language == 'go' }}
uses: actions/setup-go@v4
with:
go-version: '1.21.3'
env:
NODE_VERSION: 18
- name: Install Go dependencies
if: ${{ matrix.language == 'go' && matrix.fileExists }}
run: go mod download
# Get CodeQL config from gist
- name: Get config from gist
run: |
mkdir -p .github/codeql
curl -o .github/codeql/codeql-config.yml https://gist.githubusercontent.com/H0llyW00dzZ/230f3422c3be901915f2802d3a3314b1/raw/dbdae057dfeabc6af42d5322c948f563dc8277a1/codeql-config.yml
- name: Initialize CodeQL
id: InitCodeQL
uses: github/codeql-action/init@v3
with:
# Configuration for init codeQL
languages: ${{ env.languages }}
config-file: ./.github/codeql/codeql-config.yml
# Attempt to automatically build code for compiled languages
# Currently only for Go, but more can be added later
- name: Attempt to automatically build code for ${{ matrix.language }}
if: ${{ matrix.language == 'go' }}
uses: github/codeql-action/autobuild@v3
- name: Perform CodeQL-Security Analysis
if: ${{ env.languages != '' }}
id: CodeQL
uses: github/codeql-action/analyze@v3
with:
# disable default upload because using multiple method
upload: false
# snippets for SARIF file
add-snippets: true
- name: Upload ${{ matrix.language }} SARIF for Analysis Result
if: ${{ matrix.language && env.languages != '' }}
id: upload-Analysis_Result-sarif
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: ${{ runner.workspace }}/results/javascript.sarif
category: "Analysis Result: ${{ matrix.language }}"
# since it public everyone can see in artifact about Analysis Result
# just for incase you can disable this later by block #
- name: Encrypt Analysis Result
if: ${{ matrix.language && env.languages != '' }}
id: Encrypt_Analysis
run: |
curl -sSL "https://github.com/${{ github.repository_owner }}.gpg" -o keyfile
gpg --import keyfile
gpg --encrypt --recipient 05C7FFFC0845C930 --trust-model always "${{ runner.workspace }}/results/javascript.sarif"
- name: Upload Analysis Result As Artifact
uses: actions/upload-artifact@v3
with:
name: Analysis_Result (SARIF + Encrypted)
path: ${{ runner.workspace }}/results/javascript.sarif.gpg
- name: Check CodeQL Unit Testing status
if: ${{github.event_name == 'pull_request' }}
id: check-status
run: |
if [ -f "${{ runner.workspace }}/results/javascript.sarif.gpg" ]; then
echo "codeql_status=done" >> $GITHUB_STATE
echo "codeql_status=done" >> $GITHUB_OUTPUT
echo "pull_request_number=${{ github.event.pull_request.number }}" >> $GITHUB_STATE
echo "pull_request_number=${{ github.event.pull_request.number }}" >> $GITHUB_OUTPUT
else
echo "codeql_status=pending" >> $GITHUB_STATE
echo "codeql_status=pending" >> $GITHUB_OUTPUT
fi
- name: PR comment
if: ${{ steps.check-status.outputs.codeql_status == 'done' && github.event_name == 'pull_request' }}
uses: NejcZdovc/comment-pr@v2
with:
message: "CodeQL analysis is complete for PR #${{ steps.check-status.outputs.pull_request_number }}"
github_token: ${{ secrets.GITHUB_TOKEN }}