This repository has been archived by the owner on Sep 15, 2024. It is now read-only.
CI: CodeQL Unit Testing Advanced #859
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
############################ | |
# Author : H0llyW00dzZ # | |
############################ | |
name: "CI: CodeQL Unit Testing Advanced" | |
on: | |
push: | |
# modify this branch | |
branches: | |
- main | |
paths-ignore: | |
- '**.md' | |
- '.github/workflows/**' | |
pull_request: | |
branches: | |
- main | |
paths-ignore: | |
- '**.md' | |
- '.github/workflows/**' | |
types: [opened, reopened, synchronize] | |
schedule: | |
- cron: '0 0 * * *' | |
# allows you to run this workflow manually | |
# Adding an `inputs` section to the `workflow_dispatch` event to define a new input parameter called `branch` | |
workflow_dispatch: | |
inputs: | |
branch: | |
description: 'Branch to scan' | |
required: true | |
default: 'main' | |
jobs: | |
analyze: | |
name: Analyze | |
runs-on: ${{ matrix.language == 'swift' && 'macos-latest' || 'ubuntu-latest' }} | |
timeout-minutes: ${{ matrix.language == 'swift' && 120 || 360 }} | |
permissions: | |
actions: read | |
contents: read | |
pull-requests: write | |
deployments: read | |
security-events: write | |
strategy: | |
fail-fast: false | |
matrix: | |
# this can be modified example if your repo is only python then remove 'javascript', 'go' | |
language: ['javascript-typescript'] | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@v3 | |
with: | |
ref: ${{ github.event.inputs.branch }} | |
- name: Detect repository language | |
id: detect-language | |
run: | | |
echo "languages=${{ matrix.language }}" >> $GITHUB_ENV | |
echo "fileExists=true" >> $GITHUB_ENV | |
- name: Set up Python | |
if: ${{ matrix.language == 'python' }} | |
uses: actions/setup-python@v4 | |
with: | |
python-version: '3.x' | |
env: | |
NODE_VERSION: 18 | |
- name: Install Python dependencies | |
if: ${{ matrix.language == 'python' && matrix.fileExists }} | |
run: python -m pip install --upgrade pip && pip install -r requirements.txt | |
- name: Set up JavaScript/TypeScript | |
if: ${{ matrix.language == 'javascript-typescript' }} | |
uses: actions/setup-node@v4 | |
with: | |
node-version: '18' | |
- name: Install JavaScript/TypeScript dependencies | |
if: ${{ matrix.language == 'javascript-typescript' && matrix.fileExists }} | |
run: npm ci | |
- name: Set up Go | |
if: ${{ matrix.language == 'go' }} | |
uses: actions/setup-go@v4 | |
with: | |
go-version: '1.21.3' | |
env: | |
NODE_VERSION: 18 | |
- name: Install Go dependencies | |
if: ${{ matrix.language == 'go' && matrix.fileExists }} | |
run: go mod download | |
# Get CodeQL config from gist | |
- name: Get config from gist | |
run: | | |
mkdir -p .github/codeql | |
curl -o .github/codeql/codeql-config.yml https://gist.githubusercontent.com/H0llyW00dzZ/230f3422c3be901915f2802d3a3314b1/raw/dbdae057dfeabc6af42d5322c948f563dc8277a1/codeql-config.yml | |
- name: Initialize CodeQL | |
id: InitCodeQL | |
uses: github/codeql-action/init@v3 | |
with: | |
# Configuration for init codeQL | |
languages: ${{ env.languages }} | |
config-file: ./.github/codeql/codeql-config.yml | |
# Attempt to automatically build code for compiled languages | |
# Currently only for Go, but more can be added later | |
- name: Attempt to automatically build code for ${{ matrix.language }} | |
if: ${{ matrix.language == 'go' }} | |
uses: github/codeql-action/autobuild@v3 | |
- name: Perform CodeQL-Security Analysis | |
if: ${{ env.languages != '' }} | |
id: CodeQL | |
uses: github/codeql-action/analyze@v3 | |
with: | |
# disable default upload because using multiple method | |
upload: false | |
# snippets for SARIF file | |
add-snippets: true | |
- name: Upload ${{ matrix.language }} SARIF for Analysis Result | |
if: ${{ matrix.language && env.languages != '' }} | |
id: upload-Analysis_Result-sarif | |
uses: github/codeql-action/upload-sarif@v3 | |
with: | |
sarif_file: ${{ runner.workspace }}/results/javascript.sarif | |
category: "Analysis Result: ${{ matrix.language }}" | |
# since it public everyone can see in artifact about Analysis Result | |
# just for incase you can disable this later by block # | |
- name: Encrypt Analysis Result | |
if: ${{ matrix.language && env.languages != '' }} | |
id: Encrypt_Analysis | |
run: | | |
curl -sSL "https://github.com/${{ github.repository_owner }}.gpg" -o keyfile | |
gpg --import keyfile | |
gpg --encrypt --recipient 05C7FFFC0845C930 --trust-model always "${{ runner.workspace }}/results/javascript.sarif" | |
- name: Upload Analysis Result As Artifact | |
uses: actions/upload-artifact@v3 | |
with: | |
name: Analysis_Result (SARIF + Encrypted) | |
path: ${{ runner.workspace }}/results/javascript.sarif.gpg | |
- name: Check CodeQL Unit Testing status | |
if: ${{github.event_name == 'pull_request' }} | |
id: check-status | |
run: | | |
if [ -f "${{ runner.workspace }}/results/javascript.sarif.gpg" ]; then | |
echo "codeql_status=done" >> $GITHUB_STATE | |
echo "codeql_status=done" >> $GITHUB_OUTPUT | |
echo "pull_request_number=${{ github.event.pull_request.number }}" >> $GITHUB_STATE | |
echo "pull_request_number=${{ github.event.pull_request.number }}" >> $GITHUB_OUTPUT | |
else | |
echo "codeql_status=pending" >> $GITHUB_STATE | |
echo "codeql_status=pending" >> $GITHUB_OUTPUT | |
fi | |
- name: PR comment | |
if: ${{ steps.check-status.outputs.codeql_status == 'done' && github.event_name == 'pull_request' }} | |
uses: NejcZdovc/comment-pr@v2 | |
with: | |
message: "CodeQL analysis is complete for PR #${{ steps.check-status.outputs.pull_request_number }}" | |
github_token: ${{ secrets.GITHUB_TOKEN }} |