Skip to content

CodeQL

CodeQL #90

# For most projects, this workflow file will not need changing; you simply need
# to commit it to your repository.
#
# You may wish to alter this file to override the set of languages analyzed,
# or to provide custom queries or build logic.
name: "CodeQL"
on:
schedule:
- cron: "0 0 * * 0"
pull_request:
paths:
- ".github/workflows/codeql-analysis.yml"
workflow_dispatch:
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
permissions: read-all
jobs:
analyze:
name: Analyze
# Insufficient space to run on public runner, so use custom pool
runs-on: [self-hosted, 1ES.Pool=gha-virtual-ccf-sub]
container:
image: ghcr.io/microsoft/ccf/ci/default:build-25-07-2024
options: --user root
permissions:
security-events: write
strategy:
fail-fast: false
matrix:
language: ["cpp"]
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
fetch-depth: 0
# Done before CodeQL init to let it find the commit successfully
- name: Work around git warning
run: git config --global --add safe.directory /__w/CCF/CCF
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: ${{ matrix.language }}
queries: security-extended
- run: |
set -ex
mkdir build
cd build
cmake -DCOMPILE_TARGET=virtual -DREQUIRE_OPENENCLAVE=OFF -DCMAKE_BUILD_TYPE=Debug -DBUILD_TESTS=OFF -DLVI_MITIGATIONS=OFF ..
name: Run CMake
- run: |
cd build
make -j16
name: Run Make
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3