summaryrefslogtreecommitdiff
path: root/.github/workflows/codeql-analysis.yml
diff options
context:
space:
mode:
Diffstat (limited to '.github/workflows/codeql-analysis.yml')
-rw-r--r--.github/workflows/codeql-analysis.yml131
1 files changed, 106 insertions, 25 deletions
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 5897c5d37e..430a2c950d 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -1,43 +1,124 @@
-name: "Code scanning - action"
+name: 'CodeQL'
on:
push:
+ branches: ['master']
+ paths-ignore:
+ - 'doc/**'
+ - '**/man'
+ - '**.md'
+ - '**.rdoc'
+ - '**/.document'
+ - '.*.yml'
pull_request:
+ paths-ignore:
+ - 'doc/**'
+ - '**/man'
+ - '**.md'
+ - '**.rdoc'
+ - '**/.document'
+ - '.*.yml'
schedule:
- - cron: '0 12 * * 4'
+ - cron: '0 12 * * *'
+ workflow_dispatch:
-jobs:
- CodeQL-Build:
+concurrency:
+ group: ${{ github.workflow }} / ${{ startsWith(github.event_name, 'pull') && github.ref_name || github.sha }}
+ cancel-in-progress: ${{ startsWith(github.event_name, 'pull') }}
+
+permissions: # added using https://github.com/step-security/secure-workflows
+ contents: read
- # CodeQL runs on ubuntu-latest and windows-latest
- runs-on: ubuntu-latest
+jobs:
+ analyze:
+ name: Analyze
+ runs-on: ${{ matrix.os }}
+ permissions:
+ actions: read # for github/codeql-action/init to get workflow details
+ contents: read # for actions/checkout to fetch code
+ security-events: write # for github/codeql-action/autobuild to send a status report
+ # CodeQL fails to run pull requests from dependabot due to missing write access to upload results.
+ if: >-
+ ${{!(false
+ || contains(github.event.head_commit.message, '[DOC]')
+ || contains(github.event.head_commit.message, 'Documentation')
+ || contains(github.event.pull_request.title, '[DOC]')
+ || contains(github.event.pull_request.title, 'Documentation')
+ || contains(github.event.pull_request.labels.*.name, 'Documentation')
+ || (github.event_name == 'push' && github.actor == 'dependabot[bot]')
+ )}}
env:
enable_install_doc: no
+ strategy:
+ fail-fast: false
+ matrix:
+ include:
+ - language: cpp
+ os: ubuntu-latest
+ # ruby analysis used large memory. We need to use a larger runner.
+ - language: ruby
+ os: ${{ github.repository == 'ruby/ruby' && 'macos-arm-oss' || 'ubuntu-latest' }}
+
steps:
- - name: Install libraries
- run: |
- set -x
- sudo apt-get update -q || :
- sudo apt-get install --no-install-recommends -q -y build-essential libssl-dev libyaml-dev libreadline6-dev zlib1g-dev libncurses5-dev libffi-dev bison autoconf ruby
+ - name: Checkout repository
+ uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
+
+ - name: Install libraries
+ if: ${{ contains(matrix.os, 'macos') }}
+ uses: ./.github/actions/setup/macos
+
+ - name: Install libraries
+ if : ${{ matrix.os == 'ubuntu-latest' }}
+ uses: ./.github/actions/setup/ubuntu
+
+ - uses: ./.github/actions/setup/directories
- - name: Checkout repository
- uses: actions/checkout@v2
+ - name: Remove an obsolete rubygems vendored file
+ if: ${{ matrix.os == 'ubuntu-latest' }}
+ run: sudo rm /usr/lib/ruby/vendor_ruby/rubygems/defaults/operating_system.rb
- - name: Remove an obsolete rubygems vendored file
- run: sudo rm /usr/lib/ruby/vendor_ruby/rubygems/defaults/operating_system.rb
+ - name: Initialize CodeQL
+ uses: github/codeql-action/init@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9
+ with:
+ languages: ${{ matrix.language }}
- - name: Initialize CodeQL
- uses: github/codeql-action/init@v1
- with:
- config-file: ./.github/codeql/codeql-config.yml
+ - name: Autobuild
+ uses: github/codeql-action/autobuild@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9
- - name: Set ENV
- run: echo "GNUMAKEFLAGS=-j$((1 + $(nproc --all)))" >> $GITHUB_ENV
+ - name: Perform CodeQL Analysis
+ uses: github/codeql-action/analyze@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9
+ with:
+ category: '/language:${{ matrix.language }}'
+ upload: False
+ output: sarif-results
- - name: Autobuild
- uses: github/codeql-action/autobuild@v1
+ - name: filter-sarif
+ uses: advanced-security/filter-sarif@f3b8118a9349d88f7b1c0c488476411145b6270d # v1.0.1
+ with:
+ patterns: |
+ +**/*.rb
+ -lib/uri/mailto.rb:rb/overly-large-range
+ -lib/uri/rfc3986_parser.rb:rb/overly-large-range
+ -lib/bundler/vendor/uri/lib/uri/mailto.rb:rb/overly-large-range
+ -lib/bundler/vendor/uri/lib/uri/rfc3986_parser.rb:rb/overly-large-range
+ -test/ruby/test_io.rb:rb/non-constant-kernel-open
+ -test/open-uri/test_open-uri.rb:rb/non-constant-kernel-open
+ -test/open-uri/test_ssl.rb:rb/non-constant-kernel-open
+ -spec/ruby/core/io/binread_spec.rb:rb/non-constant-kernel-open
+ -spec/ruby/core/io/readlines_spec.rb:rb/non-constant-kernel-open
+ -spec/ruby/core/io/foreach_spec.rb:rb/non-constant-kernel-open
+ -spec/ruby/core/io/write_spec.rb:rb/non-constant-kernel-open
+ -spec/ruby/core/io/read_spec.rb:rb/non-constant-kernel-open
+ -spec/ruby/core/kernel/open_spec.rb:rb/non-constant-kernel-open
+ input: sarif-results/${{ matrix.language }}.sarif
+ output: sarif-results/${{ matrix.language }}.sarif
+ if: ${{ matrix.language == 'ruby' }}
+ continue-on-error: true
- - name: Perform CodeQL Analysis
- uses: github/codeql-action/analyze@v1
+ - name: Upload SARIF
+ uses: github/codeql-action/upload-sarif@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9
+ with:
+ sarif_file: sarif-results/${{ matrix.language }}.sarif
+ continue-on-error: true