Skip to content

[security] codeql analyses #5639

[security] codeql analyses

[security] codeql analyses #5639

name: "[security] codeql analyses"
on:
push:
branches:
- v3.0-dev
- v3.0
pull_request:
branches:
- v3.0-dev
- v3.0
schedule:
# Run every day at 20:00 UTC(04:00 UTC+08:00).
- cron: '0 20 * * *'
workflow_dispatch:
concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
cancel-in-progress: true
permissions:
actions: read
contents: read
security-events: write
jobs:
triage:
runs-on: ubuntu-latest
outputs:
languages: ${{ steps.action.outputs.languages }}
group: ${{ steps.action.outputs.group }}
steps:
- name: Action
id: action
uses: actions/[email protected]
with:
script: |
const { pull_request } = context.payload;
const { pulls } = github.rest;
const path = require('path');
const fs = require('fs');
const os = require('os');
// Ref: https://codeql.github.com/docs/codeql-overview/supported-languages-and-frameworks/#languages-and-compilers
const mappings = {
"cpp": [".cpp", ".c++", ".cxx", ".hpp", ".hh", ".h++", ".hxx", ".c", ".cc", ".h"],
// Use only 'java' to analyze code written in Java, Kotlin or both
"java": [".java", ".kt"], // written in Java, Kotlin or both
// Use only 'javascript' to analyze code written in JavaScript, TypeScript or both
"javascript": [".ts", ".tsx", ".js", ".jsx", ".mjs", ".es", ".es6", ".htm", ".html", ".xhtm", ".xhtml", ".vue", ".hbs", ".ejs", ".njk", ".json", ".yaml", ".yml", ".raml", ".xml"]
};
const languages = new Set();
if (pull_request) {
try {
const files = await github.paginate(pulls.listFiles, {
...context.repo,
per_page: 100,
pull_number: pull_request.number
});
if (files.length > 3_000) { // The paginated response include a maximum of 3000 files
Object.keys(mappings).forEach(languages.add, languages);
} else {
files.forEach(({ filename }) => {
const ext = path.extname(filename);
Object.keys(mappings).some((name) => {
if (mappings[name].includes(ext)) {
languages.add(name);
return true;
}
return false;
});
});
}
} catch (e) {
console.error(e);
Object.keys(mappings).forEach(languages.add, languages);
}
} else {
Object.keys(mappings).forEach(languages.add, languages);
}
if (languages.size > 0) {
fs.appendFileSync(process.env.GITHUB_OUTPUT, `languages=${JSON.stringify(Array.from(languages))}${os.EOL}`, { encoding: 'utf8' });
}
analyze:
needs: triage
if: needs.triage.outputs.languages
runs-on: ${{ github.repository == 'Tencent/Hippy' && fromJson('[''self-hosted'', ''linux'', ''codeql'']') || 'ubuntu-latest' }}
container:
image: ghcr.io/tencent/android-release:latest
options: --user root
strategy:
fail-fast: false
matrix:
language: ${{ fromJSON(needs.triage.outputs.languages) }}
steps:
- name: Checkout
uses: actions/checkout@v3
with:
lfs: true
- name: Initialize CodeQL
uses: github/codeql-action/init@v2
with:
languages: ${{ matrix.language }}
- name: Setup Node.js
if: matrix.language == 'javascript'
uses: actions/setup-node@v3
with:
node-version: latest
- name: Build Java
if: matrix.language == 'java'
env:
skipCmakeAndNinja: 1
run: |
./gradlew assembleDebug
- name: Build C++
if: matrix.language == 'cpp'
run: |
./gradlew buildCMakeDebug -PINCLUDE_ABI_X86=true -PINCLUDE_ABI_X86_64=true
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v2
fallback:
needs: triage
if: ${{ !needs.triage.outputs.languages }}
runs-on: ubuntu-latest
steps:
- name: Generate Fake SARIF
run:
echo '{"version":"2.1.0","runs":[{"tool":{"driver":{"name":"CodeQL"}},"results":[]}]}' > ./fake.sarif
# The following step will output a lot of errors(like `The process '/usr/bin/git' failed with exit code 128`),
# don't worry it's NORMAL because we don't checkout repository.
- name: Upload Fake SARIF
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: ./fake.sarif
category: fake_results_do_not_care
codeql_finalize:
needs: [ analyze, fallback ]
if: always()
runs-on: ubuntu-latest
steps:
- name: Success
if: contains(needs.*.result, 'success')
run: |
echo "CodeQL analysis completed successfully!"
- name: Failure
if: ${{ !contains(needs.*.result, 'success') }}
run: |
echo "CodeQL analysis completed with errors!"
exit -1