Skip to content

CodeQL

CodeQL #1114

Workflow file for this run

# SPDX-License-Identifier: Apache-2.0 OR MIT
#
# SPDX-FileCopyrightText: Copyright 2022 Micron Technology, Inc.
name: CodeQL
on:
push:
branches:
- master
- "v[0-9]+.[0-9]+"
pull_request:
branches:
- master
- "v[0-9]+.[0-9]+"
paths:
- "**.c"
- "**.cc"
- "**.h"
- "**.h.in"
- "**.py"
- "**/meson.build"
- .github/workflows/codeql.yaml
schedule:
- cron: 0 0 * * SUN
concurrency:
group: ${{ github.workflow }}-${{ github.head_ref }}
cancel-in-progress: true
permissions:
security-events: write
jobs:
determine-tag:
runs-on: ubuntu-latest
continue-on-error: false
outputs:
tag: ${{ steps.determine-tag.outputs.tag }}
steps:
- name: Determine tag
id: determine-tag
run: |
if [ "$GITHUB_EVENT_NAME" = "pull_request" ]; then
echo "tag=$GITHUB_BASE_REF" >> "$GITHUB_OUTPUT"
else
echo "tag=$GITHUB_REF_NAME" >> "$GITHUB_OUTPUT"
fi
codeql:
runs-on: ubuntu-latest
needs:
- determine-tag
container:
image: ghcr.io/hse-project/ci-images/fedora-37:${{ needs.determine-tag.outputs.tag }}
steps:
- name: Checkout HSE
uses: actions/checkout@v3
- name: Cache Meson packagecache
uses: actions/cache@v3
with:
path: subprojects/packagecache
key: meson-packagecache-fedora-37-${{ hashFiles('subprojects/*.wrap') }}
- name: Initialize CodeQL
uses: github/codeql-action/init@v2
# Ideally we compile no code from subprojects other than built-in code.
# CodeQL will analyze any code that actually gets built. Fedora doesn't
# package all cJSON functionality we need, so build it and cross fingers!
#
# https://bugzilla.redhat.com/show_bug.cgi?id=2117773
- name: Setup
run: |
meson setup builddir --fatal-meson-warnings --werror \
-Dwrap_mode=nofallback -Dforce_fallback_for=cjson -Dbindings=none \
-Ddocs=disabled
- name: Build
run: |
ninja -C builddir
- name: Perform CodeQL analysis
uses: github/codeql-action/analyze@v2