Skip to content

CodeQL

CodeQL #681

Workflow file for this run

name: "CodeQL"
on:
schedule:
- cron: "0 18 * * *" # every day at 6 PM : https://crontab.guru/#0_18_*_*_*
workflow_dispatch:
jobs:
analyze:
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write
strategy:
fail-fast: false
matrix:
language: [ python, cpp ]
steps:
- name: Checkout
uses: actions/checkout@v4
with:
submodules: recursive
- name: Install Packages (cpp)
if: ${{ matrix.language == 'cpp' }}
run: |
sudo apt-get update && sudo apt-get install -y libboost-all-dev libglfw3-dev libpng++-dev libopenal-dev libglvnd-dev libfreetype6-dev cimg-dev ffmpeg libutfcpp-dev gettext libavcodec-dev libavformat-dev libavfilter-dev qtbase5-dev qt5-qmake qtbase5-dev-tools qttools5-dev libarchive-dev libjpeg-dev
- name: Configure (cpp)
if: ${{ matrix.language == 'cpp' }}
run: |
mkdir build
cd build
cmake -DPERMISSIVE_BUILD=ON ..
- name: After Prepare (cpp)
if: ${{ matrix.language == 'cpp' }}
run: |
mkdir custom_cmake
wget --quiet -O - https://github.com/Kitware/CMake/releases/download/v3.21.2/cmake-3.21.2-linux-x86_64.tar.gz | tar --strip-components=1 -xz -C custom_cmake
export PATH=$(pwd)/custom_cmake/bin:${PATH} && echo "PATH=$PATH" >> $GITHUB_ENV
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: ${{ matrix.language }}
queries: +security-and-quality
- name: Autobuild
uses: github/codeql-action/autobuild@v3
if: ${{ matrix.language == 'python' }}
- name: Build cpp
if: ${{ matrix.language == 'cpp' }}
run: |
cd build
make -j4
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
with:
upload: False
output: sarif-results
category: "/language:${{ matrix.language }}"
- name: filter-sarif
uses: advanced-security/filter-sarif@v1
with:
patterns: |
-3rdparty/**
input: "sarif-results/${{ matrix.language }}.sarif"
output: "sarif-results/${{ matrix.language }}.sarif"
- name: Upload SARIF
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: "sarif-results/${{ matrix.language }}.sarif"
- name: Upload loc as a Build Artifact
uses: actions/upload-artifact@v4
with:
name: sarif-results
path: sarif-results
retention-days: 2
overwrite: true