Merge pull request #19 from advanced-security/jsinglet/repo-library-i… #15
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: ⚙️ Integration Test Bundle on PR (CPP) | |
| on: | |
| push: | |
| branches: | |
| - 'main' | |
| pull_request: | |
| branches: | |
| - 'main' | |
| workflow_dispatch: | |
| jobs: | |
| analyze: | |
| name: Analyze | |
| runs-on: ubuntu-latest | |
| permissions: | |
| actions: read | |
| contents: read | |
| security-events: write | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| language: [ 'cpp' ] | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| - name: Install QLT | |
| id: install-qlt | |
| uses: ./.github/actions/install-qlt-local | |
| with: | |
| qlt-version: 'latest' | |
| add-to-path: true | |
| - name: Validate QLT Installation | |
| shell: bash | |
| run: | | |
| echo -e "Checking QLT Version:" | |
| echo "QLT Home: ${{ steps.install-qlt.outputs.qlt-home }}" | |
| qlt version | |
| - name: Create Bundle (compiled) | |
| shell: bash | |
| run: | | |
| if ! qlt codeql run install --base example/ --custom-bundle ; then | |
| echo "Failed to generate bundle." | |
| exit 1 | |
| fi | |
| # ensure bundle runs | |
| if ! qlt query run install-packs --use-bundle --base example/ ; then | |
| echo "Failed to install query packs with tool." | |
| exit 1 | |
| fi | |
| - name: Validate Bundle Existence | |
| shell: bash | |
| run: | | |
| echo "Checking Bundle Existence" | |
| ls -l ${{ env.QLT_CODEQL_HOME }}/../out/ | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/init@v2 | |
| with: | |
| languages: ${{ matrix.language }} | |
| queries: security-extended | |
| source-root: integration-tests/cpp/src/ # Path containing the example application | |
| tools: ${{ env.QLT_CODEQL_BUNDLE_PATH }} | |
| - name: Autobuild | |
| uses: github/codeql-action/autobuild@v2 | |
| with: | |
| working-directory: integration-tests/cpp/src/ # Path containing the example application | |
| - name: Perform CodeQL Analysis | |
| id: analysis | |
| uses: github/codeql-action/analyze@v2 | |
| - name: Validate SARIF Location | |
| shell: bash | |
| run: | | |
| # validate we have the actual sarif results | |
| echo "Checking SARIF file location at: ${{ steps.analysis.outputs.sarif-output }}" | |
| ls -l ${{ steps.analysis.outputs.sarif-output }} | |
| - name: Upload SARIF Results | |
| uses: actions/upload-artifact@v2 | |
| with: | |
| name: actual.sarif | |
| path: | | |
| ${{ steps.analysis.outputs.sarif-output }}/*.sarif | |
| if-no-files-found: error | |
| - name: Upload Bundle Used | |
| uses: actions/upload-artifact@v2 | |
| with: | |
| name: codeql-bundle.tar.gz | |
| path: | | |
| ${{ env.QLT_CODEQL_BUNDLE_PATH }} | |
| if-no-files-found: error | |
| - name: Validate SARIF Results | |
| shell: bash | |
| run: | | |
| # Compare the expected vs the actual | |
| qlt bundle run validate-integration-tests --expected integration-tests/cpp/expected.sarif --actual ${{ steps.analysis.outputs.sarif-output }}/cpp.sarif |