diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 000000000..b398cf89c --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,145 @@ +name: "CodeQL" + +on: + push: + branches: [ "master" ] + pull_request: + branches: [ "master" ] + schedule: + - cron: '22 16 * * 5' + +jobs: + analyze-jsts: + name: Analyze JavaScript-TypeScript + env: + OS: ubuntu-22.04 + DB: postgresql + LANG: javascript-typescript + runs-on: $OS + timeout-minutes: 360 + permissions: + # required for all workflows + security-events: write + # only required for workflows in private repositories + actions: read + contents: read + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + # Initializes the CodeQL tools for scanning + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: $LANG + + # Perform CodeQL analysis + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v3 + with: + category: "/language:${{matrix.language}}" + + + analyze-cpp: + name: Analyze C-C++ + env: + OS: ubuntu-22.04 + DB: postgresql + LANG: c-cpp + BUILD_TYPE: Debug + DB_TYPE: psql + INSTALL_PATH: ${{github.workspace}}/dependencies/install + DOWNLOAD_PATH: ${{github.workspace}}/dependencies/download + runs-on: $OS + timeout-minutes: 360 + permissions: + # required for all workflows + security-events: write + # only required for workflows in private repositories + actions: read + contents: read + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + # Initializes the CodeQL tools for scanning + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: $LANG + + # Build project + - name: Update apt-get + run: sudo apt-get update + + - name: Install required packages for build + run: ./.github/scripts/$OS/setup_build.sh + + - name: Install database packages + run: ./.github/scripts/$OS/setup_$DB.sh + + - name: Set has-compiled-dependencies flag + id: compilation-flag + run: | + if [ -f ./.github/scripts/$OS/compile_build.sh ]; then + echo "HAS_COMPILED_DEPENDENCIES=true" >> "$GITHUB_ENV" + else + echo "HAS_COMPILED_DEPENDENCIES=false" >> "$GITHUB_ENV" + fi + + - name: Download installers for compiled dependencies + if: ${{ env.HAS_COMPILED_DEPENDENCIES == 'true' }} + id: download-compile-dependencies + run: | + chmod +x ./.github/scripts/$OS/download_build.sh + ./.github/scripts/$OS/download_build.sh + + - name: Compile dependencies + if: ${{ env.HAS_COMPILED_DEPENDENCIES == 'true' && steps.restore-compiled-dependencies.outputs.cache-hit != 'true' }} + run: | + chmod +x ./.github/scripts/$OS/compile_build.sh + ./.github/scripts/$OS/compile_build.sh + + - name: Post compilation configuration (build) + if: ${{ env.HAS_COMPILED_DEPENDENCIES == 'true' }} + run: | + if [ -f ./.github/scripts/$OS/postcompile_build.sh ]; then + chmod +x ./.github/scripts/$OS/postcompile_build.sh + ./.github/scripts/$OS/postcompile_build.sh + fi + + - name: Install database packages + run: ./.github/scripts/$OS/setup_$DB.sh + + - name: Configure CMake + working-directory: ${{github.workspace}} + run: cmake -E make_directory $HOME/cc-build + + - name: Run CMake + run: > + cd $HOME/cc-build && + cmake ${{github.workspace}} -DCMAKE_EXPORT_COMPILE_COMMANDS=1 + -DCMAKE_INSTALL_PREFIX=$HOME/$OS/$DB/cc-install + -DDATABASE=$DB_TYPE + -DCMAKE_BUILD_TYPE=$BUILD_TYPE + -DLLVM_DIR=/usr/lib/llvm-11/cmake + -DClang_DIR=/usr/lib/cmake/clang-11 + + - name: Build + run: | + cd $HOME/cc-build + make -j $(nproc) + + - name: Install + run: | + cd $HOME/cc-build + make install + + # Perform CodeQL analysis + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v3 + with: + category: "/language:$LANG" +