diff options
Diffstat (limited to '.github/workflows/codeql-analysis.yml')
| -rw-r--r-- | .github/workflows/codeql-analysis.yml | 141 |
1 files changed, 94 insertions, 47 deletions
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index b86bec4224..69f38f3f48 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -1,20 +1,23 @@ -name: "Code scanning - action" +name: 'CodeQL' on: - # push: - # paths-ignore: - # - 'doc/**' - # - '**/man' - # - '**.md' - # - '**.rdoc' - # - '**/.document' - # pull_request: - # paths-ignore: - # - 'doc/**' - # - '**/man' - # - '**.md' - # - '**.rdoc' - # - '**/.document' + push: + branches: ['master'] + paths-ignore: + - 'doc/**' + - '**/man/*' + - '**.md' + - '**.rdoc' + - '**/.document' + - '.*.yml' + pull_request: + paths-ignore: + - 'doc/**' + - '**/man/*' + - '**.md' + - '**.rdoc' + - '**/.document' + - '.*.yml' schedule: - cron: '0 12 * * *' workflow_dispatch: @@ -23,52 +26,96 @@ concurrency: group: ${{ github.workflow }} / ${{ startsWith(github.event_name, 'pull') && github.ref_name || github.sha }} cancel-in-progress: ${{ startsWith(github.event_name, 'pull') }} -permissions: # added using https://github.com/step-security/secure-workflows +permissions: # added using https://github.com/step-security/secure-workflows contents: read jobs: - CodeQL-Build: - - # CodeQL runs on ubuntu-latest and windows-latest - permissions: - actions: read # for github/codeql-action/init to get workflow details - contents: read # for actions/checkout to fetch code - security-events: write # for github/codeql-action/autobuild to send a status report + analyze: + name: Analyze runs-on: ubuntu-latest + permissions: + actions: read # for github/codeql-action/init to get workflow details + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/autobuild to send a status report # CodeQL fails to run pull requests from dependabot due to missing write access to upload results. - if: ${{ !contains(github.event.head_commit.message, '[DOC]') && !contains(github.event.pull_request.labels.*.name, 'Documentation') && github.event.head_commit.pusher.name != 'dependabot[bot]' }} + if: >- + ${{!(false + || contains(github.event.head_commit.message, '[DOC]') + || contains(github.event.pull_request.title, '[DOC]') + || contains(github.event.pull_request.labels.*.name, 'Documentation') + || (github.event_name == 'push' && github.event.pull_request.user.login == 'dependabot[bot]') + )}} env: enable_install_doc: no + strategy: + fail-fast: false + matrix: + include: + - language: cpp + - language: ruby + steps: - - name: Install libraries - run: | - set -x - sudo apt-get update -q || : - sudo apt-get install --no-install-recommends -q -y build-essential libssl-dev libyaml-dev libreadline6-dev zlib1g-dev libncurses5-dev libffi-dev bison autoconf ruby + - name: Checkout repository + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + + - name: Install libraries + if: ${{ contains(matrix.os, 'macos') }} + uses: ./.github/actions/setup/macos + + - name: Install libraries + if : ${{ matrix.os == 'ubuntu-latest' }} + uses: ./.github/actions/setup/ubuntu - - name: Checkout repository - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0 + - uses: ./.github/actions/setup/directories - - uses: actions/cache@c17f4bf4666a8001b1a45c09eb7a485c41aa64c3 # v3.2.0 - with: - path: .downloaded-cache - key: downloaded-cache + - name: Remove an obsolete rubygems vendored file + if: ${{ matrix.os == 'ubuntu-latest' }} + run: sudo rm /usr/lib/ruby/vendor_ruby/rubygems/defaults/operating_system.rb - - name: Remove an obsolete rubygems vendored file - run: sudo rm /usr/lib/ruby/vendor_ruby/rubygems/defaults/operating_system.rb + - name: Initialize CodeQL + uses: github/codeql-action/init@e296a935590eb16afc0c0108289f68c87e2a89a5 # v4.30.7 + with: + languages: ${{ matrix.language }} + trap-caching: false + debug: true - - name: Initialize CodeQL - uses: github/codeql-action/init@959cbb7472c4d4ad70cdfe6f4976053fe48ab394 # v2.1.37 - with: - config-file: ./.github/codeql/codeql-config.yml + - name: Autobuild + uses: github/codeql-action/autobuild@e296a935590eb16afc0c0108289f68c87e2a89a5 # v4.30.7 - - name: Set ENV - run: echo "GNUMAKEFLAGS=-j$((1 + $(nproc --all)))" >> $GITHUB_ENV + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@e296a935590eb16afc0c0108289f68c87e2a89a5 # v4.30.7 + with: + category: '/language:${{ matrix.language }}' + upload: False + output: sarif-results - - name: Autobuild - uses: github/codeql-action/autobuild@959cbb7472c4d4ad70cdfe6f4976053fe48ab394 # v2.1.37 + - name: filter-sarif + uses: advanced-security/filter-sarif@f3b8118a9349d88f7b1c0c488476411145b6270d # v1.0.1 + with: + patterns: | + +**/*.rb + -lib/uri/mailto.rb:rb/overly-large-range + -lib/uri/rfc3986_parser.rb:rb/overly-large-range + -lib/bundler/vendor/uri/lib/uri/mailto.rb:rb/overly-large-range + -lib/bundler/vendor/uri/lib/uri/rfc3986_parser.rb:rb/overly-large-range + -test/ruby/test_io.rb:rb/non-constant-kernel-open + -test/open-uri/test_open-uri.rb:rb/non-constant-kernel-open + -test/open-uri/test_ssl.rb:rb/non-constant-kernel-open + -spec/ruby/core/io/binread_spec.rb:rb/non-constant-kernel-open + -spec/ruby/core/io/readlines_spec.rb:rb/non-constant-kernel-open + -spec/ruby/core/io/foreach_spec.rb:rb/non-constant-kernel-open + -spec/ruby/core/io/write_spec.rb:rb/non-constant-kernel-open + -spec/ruby/core/io/read_spec.rb:rb/non-constant-kernel-open + -spec/ruby/core/kernel/open_spec.rb:rb/non-constant-kernel-open + input: sarif-results/${{ matrix.language }}.sarif + output: sarif-results/${{ matrix.language }}.sarif + if: ${{ matrix.language == 'ruby' }} + continue-on-error: true - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@959cbb7472c4d4ad70cdfe6f4976053fe48ab394 # v2.1.37 + - name: Upload SARIF + uses: github/codeql-action/upload-sarif@e296a935590eb16afc0c0108289f68c87e2a89a5 # v4.30.7 + with: + sarif_file: sarif-results/${{ matrix.language }}.sarif + continue-on-error: true |