From 8fd48bb75b46679534c549839ea0595d057178c7 Mon Sep 17 00:00:00 2001 From: Laura Date: Tue, 27 Dec 2022 18:32:36 -0800 Subject: [PATCH 1/2] Create Code-Scanning.yml This file is identical to the existing workflow except that it has been created via the GitHub Security Code Scanning menu, which registers the workflow with the Code Scanning triggers unlike the existing workflow. If this successfully meets the Security requirements, the next commit will remove the duplicate workflow. --- .github/workflows/Code-Scanning.yml | 70 +++++++++++++++++++++++++++++ 1 file changed, 70 insertions(+) create mode 100644 .github/workflows/Code-Scanning.yml diff --git a/.github/workflows/Code-Scanning.yml b/.github/workflows/Code-Scanning.yml new file mode 100644 index 000000000..a70cf750e --- /dev/null +++ b/.github/workflows/Code-Scanning.yml @@ -0,0 +1,70 @@ +# This workflow runs the latest CodeQL CLI and checks against CodeQL's Cpp library. +# It will only analyze solutions which have been changed. + +name: "CodeQL Analysis" + +on: + push: + branches: + - main + - develop + pull_request: + # The branches below must be a subset of the branches above + branches: + - main + - develop + + # Do not perform analysis if only config or text files are changed + paths-ignore: + - '**/*.md' + - '**/*.txt' + - './.github/**' + + # Allow manual scheduling + workflow_dispatch: + +jobs: + analyze: + name: Analysis + runs-on: windows-latest + permissions: + actions: read + contents: read + security-events: write + + strategy: + fail-fast: false + matrix: + language: [ 'cpp' ] + + steps: + - name: Checkout repository + uses: actions/checkout@v3 + with: + fetch-depth: 0 + + - name: Initialize CodeQL + uses: github/codeql-action/init@v2 + with: + languages: ${{ matrix.language }} + + - name: Add MSBuild to PATH + uses: microsoft/setup-msbuild@v1.0.2 + + - name: Get changed files + id: get-changed-files + uses: tj-actions/changed-files@v27 + + - name: Retrieve and build solutions from changed files + id: build-changed-projects + run: | + $changedFiles = "${{ steps.get-changed-files.outputs.all_changed_files }}".Split(' ') + .\.github\scripts\Build-ChangedProjects.ps1 -ChangedFiles $changedFiles + env: + Configuration: ${{ matrix.configuration }} + Platform: ${{ matrix.platform }} + + - name: Perform CodeQL analysis + uses: github/codeql-action/analyze@v2 + with: + category: "/language:${{matrix.language}}" From f1c1619463ab46254a70cae472e68c5a3d5eb7c6 Mon Sep 17 00:00:00 2001 From: Laura Date: Tue, 27 Dec 2022 18:56:56 -0800 Subject: [PATCH 2/2] Updates Code Scanning Exclusion Excludes all files within the .github directory from triggering the Code Scanning workflow. --- .github/workflows/Code-Scanning.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/Code-Scanning.yml b/.github/workflows/Code-Scanning.yml index a70cf750e..3f9d1b7a0 100644 --- a/.github/workflows/Code-Scanning.yml +++ b/.github/workflows/Code-Scanning.yml @@ -18,7 +18,7 @@ on: paths-ignore: - '**/*.md' - '**/*.txt' - - './.github/**' + - '.github/**' # Allow manual scheduling workflow_dispatch: