CodeQL (Advanced) #21
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # CodeQL security checks (Advanced) | |
| # | |
| # Runner size impacts CodeQL analysis time. To learn more, please see: | |
| # - https://gh.io/recommended-hardware-resources-for-running-codeql | |
| # - https://gh.io/supported-runners-and-hardware-resources | |
| # - https://gh.io/using-larger-runners (GitHub.com only) | |
| # - https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning. | |
| # - https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages | |
| # - https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs | |
| # - https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun | |
| # | |
| # Queries: | |
| # - https://docs.github.com/en/code-security/code-scanning/managing-your-code-scanning-configuration/c-cpp-built-in-queries | |
| name: "CodeQL (Advanced)" | |
| run-name: "CodeQL (Advanced)" | |
| on: | |
| push: | |
| branches: [ "devel", "master" ] | |
| pull_request: | |
| branches: [ "devel" ] | |
| jobs: | |
| analyze: | |
| name: Analyze (${{ matrix.language }}) | |
| runs-on: ubuntu-latest | |
| permissions: | |
| # required for all workflows | |
| security-events: write | |
| # required to fetch internal or private CodeQL packs | |
| packages: read | |
| # only required for workflows in private repositories | |
| actions: read | |
| contents: read | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| - language: c-cpp | |
| build-mode: manual | |
| - language: python | |
| build-mode: none | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| # (Add any setup steps before running the `github/codeql-action/init` action.) | |
| # Initializes the CodeQL tools for scanning. | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/init@v3 | |
| with: | |
| languages: ${{ matrix.language }} | |
| build-mode: ${{ matrix.build-mode }} | |
| # (Custom queries) | |
| queries: security-extended,security-and-quality | |
| - name: Update package cache | |
| run: sudo apt-get update -qqq | |
| - name: Add more build dependencies | |
| run: sudo apt-get install -y liblzo2-dev libzstd-dev libblkid-dev uuid-dev zlib1g-dev libext2fs-dev e2fsprogs libudev-dev | |
| - if: matrix.build-mode == 'manual' | |
| shell: bash | |
| run: | | |
| ./autogen.sh | |
| ./configure --disable-documentation --enable-experimental | |
| make -j 4 | |
| - name: Perform CodeQL Analysis | |
| uses: github/codeql-action/analyze@v3 | |
| with: | |
| category: "/language:${{matrix.language}}" |