-
Notifications
You must be signed in to change notification settings - Fork 947
156 lines (144 loc) · 5.01 KB
/
security_codeql_analyses.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
name: "[security] codeql analyses"
on:
push:
branches:
- v3.0-dev
- v3.0
pull_request:
branches:
- v3.0-dev
- v3.0
schedule:
# Run every day at 20:00 UTC(04:00 UTC+08:00).
- cron: '0 20 * * *'
workflow_dispatch:
concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
cancel-in-progress: true
permissions:
actions: read
contents: read
security-events: write
jobs:
triage:
runs-on: ubuntu-latest
outputs:
languages: ${{ steps.action.outputs.languages }}
group: ${{ steps.action.outputs.group }}
steps:
- name: Action
id: action
uses: actions/[email protected]
with:
script: |
const { pull_request } = context.payload;
const { pulls } = github.rest;
const path = require('path');
const fs = require('fs');
const os = require('os');
// Ref: https://codeql.github.com/docs/codeql-overview/supported-languages-and-frameworks/#languages-and-compilers
const mappings = {
"cpp": [".cpp", ".c++", ".cxx", ".hpp", ".hh", ".h++", ".hxx", ".c", ".cc", ".h"],
// Use only 'java' to analyze code written in Java, Kotlin or both
"java": [".java", ".kt"], // written in Java, Kotlin or both
// Use only 'javascript' to analyze code written in JavaScript, TypeScript or both
"javascript": [".ts", ".tsx", ".js", ".jsx", ".mjs", ".es", ".es6", ".htm", ".html", ".xhtm", ".xhtml", ".vue", ".hbs", ".ejs", ".njk", ".json", ".yaml", ".yml", ".raml", ".xml"]
};
const languages = new Set();
if (pull_request) {
try {
const files = await github.paginate(pulls.listFiles, {
...context.repo,
per_page: 100,
pull_number: pull_request.number
});
if (files.length > 3_000) { // The paginated response include a maximum of 3000 files
Object.keys(mappings).forEach(languages.add, languages);
} else {
files.forEach(({ filename }) => {
const ext = path.extname(filename);
Object.keys(mappings).some((name) => {
if (mappings[name].includes(ext)) {
languages.add(name);
return true;
}
return false;
});
});
}
} catch (e) {
console.error(e);
Object.keys(mappings).forEach(languages.add, languages);
}
} else {
Object.keys(mappings).forEach(languages.add, languages);
}
if (languages.size > 0) {
fs.appendFileSync(process.env.GITHUB_OUTPUT, `languages=${JSON.stringify(Array.from(languages))}${os.EOL}`, { encoding: 'utf8' });
}
analyze:
needs: triage
if: needs.triage.outputs.languages
runs-on: ${{ github.repository == 'Tencent/Hippy' && fromJson('[''self-hosted'', ''linux'', ''codeql'']') || 'ubuntu-latest' }}
container:
image: ghcr.io/tencent/android-release:latest
options: --user root
strategy:
fail-fast: false
matrix:
language: ${{ fromJSON(needs.triage.outputs.languages) }}
steps:
- name: Checkout
uses: actions/checkout@v3
with:
lfs: true
- name: Initialize CodeQL
uses: github/codeql-action/init@v2
with:
languages: ${{ matrix.language }}
- name: Setup Node.js
if: matrix.language == 'javascript'
uses: actions/setup-node@v3
with:
node-version: latest
- name: Build Java
if: matrix.language == 'java'
env:
skipCmakeAndNinja: 1
run: |
./gradlew assembleDebug
- name: Build C++
if: matrix.language == 'cpp'
run: |
./gradlew buildCMakeDebug -PINCLUDE_ABI_X86=true -PINCLUDE_ABI_X86_64=true
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v2
fallback:
needs: triage
if: ${{ !needs.triage.outputs.languages }}
runs-on: ubuntu-latest
steps:
- name: Generate Fake SARIF
run:
echo '{"version":"2.1.0","runs":[{"tool":{"driver":{"name":"CodeQL"}},"results":[]}]}' > ./fake.sarif
# The following step will output a lot of errors(like `The process '/usr/bin/git' failed with exit code 128`),
# don't worry it's NORMAL because we don't checkout repository.
- name: Upload Fake SARIF
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: ./fake.sarif
category: fake_results_do_not_care
codeql_finalize:
needs: [ analyze, fallback ]
if: always()
runs-on: ubuntu-latest
steps:
- name: Success
if: contains(needs.*.result, 'success')
run: |
echo "CodeQL analysis completed successfully!"
- name: Failure
if: ${{ !contains(needs.*.result, 'success') }}
run: |
echo "CodeQL analysis completed with errors!"
exit -1