From 42c27f34824e20f709433a0122ae3026ef0e457c Mon Sep 17 00:00:00 2001 From: Geoff Hutchison Date: Mon, 16 Jan 2023 08:52:52 -0500 Subject: [PATCH] Add CodeQL scanning build to check for quality and security Signed-off-by: Geoff Hutchison --- .github/workflows/codeql.yml | 113 +++++++++++++++++++++++++++++++++++ 1 file changed, 113 insertions(+) create mode 100644 .github/workflows/codeql.yml diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 0000000000..6a2d54dcc8 --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,113 @@ +# For most projects, this workflow file will not need changing; you simply need +# to commit it to your repository. +# +# You may wish to alter this file to override the set of languages analyzed, +# or to provide custom queries or build logic. +# +# ******** NOTE ******** +# We have attempted to detect the languages in your repository. Please check +# the `language` matrix defined below to confirm you have the correct set of +# supported CodeQL languages. +# +name: "CodeQL" + +on: + push: + branches: [ "master" ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ "master" ] + schedule: + - cron: '42 6 * * 6' + +env: + QT_VERSION: 5.15.2 + FEATURES: -DBUILD_GPL_PLUGINS=ON -DWITH_COORDGEN=OFF + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + strategy: + fail-fast: false + matrix: + language: [ 'cpp' ] + # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ] + # Use only 'java' to analyze code written in Java, Kotlin or both + # Use only 'javascript' to analyze code written in JavaScript, TypeScript or both + # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support + + steps: + - name: Checkout openchemistry + uses: actions/checkout@v3 + with: + repository: openchemistry/openchemistry + submodules: recursive + + - name: Checkout avogadroapp + uses: actions/checkout@v3 + with: + repository: openchemistry/avogadroapp + path: avogadroapp + + - name: Checkout avogadrolibs + uses: actions/checkout@v3 + with: + path: avogadrolibs + + - name: Install Dependencies (Linux) + if: runner.os == 'Linux' + run: | + sudo apt-get -qq update + sudo apt-get -qq install ninja-build libeigen3-dev libboost-all-dev libglew-dev libxml2-dev + sudo apt-get -qq install qtbase5-dev qtchooser qt5-qmake qtbase5-dev-tools libqt5x11extras5-dev libqt5svg5-dev + + - name: Cache Qt + id: cache-qt + uses: actions/cache@v3 + with: + path: ../Qt + key: ${{ runner.os }}-QtCache + + - name: Install Qt + uses: jurplel/install-qt-action@v3 + with: + cached: ${{ steps.cache-qt.outputs.cache-hit }} + version: ${{ env.QT_VERSION }} + + - name: Grab cache files + uses: actions/cache@v3 + with: + path: | + ${{ runner.workspace }}/build/thirdparty + ${{ runner.workspace }}/build/Downloads + key: ${{ matrix.config.name }}-thirdparty + + - name: Configure + run: | + cmake $GITHUB_WORKSPACE ${{env.FEATURES}} -DCMAKE_BUILD_TYPE=RelWithDebInfo ${{matrix.config.cmake_flags}} + shell: bash + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@v2 + with: + languages: ${{ matrix.language }} + source-root: ${{ github.workspace }}/avogadrolibs + # queries: security-extended,security-and-quality + + - name: Build + run: | + cmake --build . -j 4 --config RelWithDebInfo + shell: bash + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v2 + with: + category: "/language:${{matrix.language}}" + checkout_path: ${{ github.workspace }}/avogadrolibs