Implement Actions extractor and placeholder Actions QL packs #17850
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
dbartol
added
Actions
|
Since I had the code checked out to fix the formatting, I took the liberty of adding auto-labeler support as well 😊 |
RasmusWL
previously approved these changes
Oct 28, 2024
Co-authored-by: Rasmus Wriedt Larsen <[email protected]>
tausbn
approved these changes
Oct 28, 2024
aibaars
requested changes
Oct 28, 2024
I'll give them a try locally. I'm planning integration tests once everything is hooked up into the CLI build. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The PR implements an extractor for GitHub Actions workflows. The extractor more or less just forwards to the JavaScript extractor to do the actual extraction. The JavaScript extractor handles both JS and YAML. For now, we're only using the YAML, but we have ambitions to analyze JS code embedded within a workflow in the future. The
autobuild.*scripts copy all of theCODEQL_EXTRACTOR_ACTIONS_*environment variables into theCODEQL_EXTRACTOR_JAVASCRIPT_*variables for the JavaScript extractor. In addition, if no path filters are specified by the user, we supply a default set of path filters the extractor only YAML files that are likely to be Actions workflows or reusable Actions.In addition to the extractor itself, I've added placeholder CodeQL packs for the library, queries, and tests. There are two placeholder tests: one that imports a
.qllfile from the library pack, and one that runs a query from the query pack. Note that the library pack does not have a dbscheme. Instead, it depends oncodeql/javascript-all, since the actual extraction is done by the JavaScript extractor with the JavaScript dbscheme. Theextractor: actionsproperty on the query pack ensures that the queries are treated as being for theactionslanguage, rather than thejavascriptlanguage.Note to reviewers: I know nothing about Bash except what I've Googled in the last few hours. Please take a close look at the
autobuild.shscript.A subsequent PR will add Bazel files to incorporate the new extractor into the CLI build.