Skip to content

CodeQL

CodeQL #892

Workflow file for this run

---
# Run CodeQL to analyze C/C++ and Python code.
name: CodeQL
on:
pull_request:
types: [opened, reopened, labeled, synchronize]
branches: [master]
push:
branches: [master]
schedule:
- cron: "27 2 * * 1"
env:
DISABLE_TELEMETRY: 1
concurrency:
group: codeql-${{ github.ref }}
cancel-in-progress: true
jobs:
prepare:
name: Prepare Jobs
runs-on: ubuntu-latest
outputs:
cpp: ${{ steps.cpp.outputs.run }}
python: ${{ steps.python.outputs.run }}
go: ${{ steps.go.outputs.run }}
steps:
- name: Clone repository
uses: actions/checkout@v4
with:
submodules: recursive
fetch-depth: 0
- name: Check if we should always run
id: always
run: |
if [ "${{ github.event_name }}" = "pull_request" ]; then
if [ "${{ contains(github.event.pull_request.labels.*.name, 'run-ci/codeql') }}" = "true" ]; then
echo "run=true" >> "${GITHUB_OUTPUT}"
echo '::notice::Found ci/codeql label, unconditionally running all CodeQL checks.'
else
echo "run=false" >> "${GITHUB_OUTPUT}"
fi
else
echo "run=true" >> "${GITHUB_OUTPUT}"
fi
- name: Check for C/C++ changes
id: cpp
run: |
if [ "${{ steps.always.outputs.run }}" = "false" ]; then
if git diff --name-only origin/${{ github.base_ref }} HEAD | grep -Eq '.*\.[ch](xx|\+\+)?' ; then
echo "run=true" >> "${GITHUB_OUTPUT}"
echo '::notice::C/C++ code has changed, need to run CodeQL.'
else
echo "run=false" >> "${GITHUB_OUTPUT}"
fi
else
echo "run=true" >> "${GITHUB_OUTPUT}"
fi
- name: Check for python changes
id: python
run: |
if [ "${{ steps.always.outputs.run }}" = "false" ]; then
if git diff --name-only origin/${{ github.base_ref }} HEAD | grep -Eq 'src/collectors/python.d.plugin/.*\.py' ; then
echo "run=true" >> "${GITHUB_OUTPUT}"
echo '::notice::Python code has changed, need to run CodeQL.'
else
echo "run=false" >> "${GITHUB_OUTPUT}"
fi
else
echo "run=true" >> "${GITHUB_OUTPUT}"
fi
- name: Check for Go changes
id: go
run: |
if [ "${{ steps.always.outputs.run }}" = "false" ]; then
if git diff --name-only origin/${{ github.base_ref }} HEAD | grep -Eq 'src/go/*\.go' ; then
echo "run=true" >> "${GITHUB_OUTPUT}"
echo '::notice::Go code has changed, need to run CodeQL.'
else
echo "run=false" >> "${GITHUB_OUTPUT}"
fi
else
echo "run=true" >> "${GITHUB_OUTPUT}"
fi
analyze-cpp:
name: Analyze C/C++
runs-on: ubuntu-latest
needs: prepare
if: needs.prepare.outputs.cpp == 'true'
permissions:
security-events: write
steps:
- name: Git clone repository
uses: actions/checkout@v4
with:
submodules: recursive
fetch-depth: 0
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: cpp
config-file: ./.github/codeql/c-cpp-config.yml
- name: Prepare environment
run: ./packaging/installer/install-required-packages.sh --dont-wait --non-interactive netdata
- name: Build netdata
run: ./netdata-installer.sh --dont-start-it --disable-telemetry --dont-wait --install-prefix /tmp/install --one-time-build
- name: Run CodeQL
uses: github/codeql-action/analyze@v3
with:
category: "/language:cpp"
analyze-python:
name: Analyze Python
runs-on: ubuntu-latest
needs: prepare
if: needs.prepare.outputs.python == 'true'
permissions:
security-events: write
steps:
- name: Git clone repository
uses: actions/checkout@v4
with:
submodules: recursive
fetch-depth: 0
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
config-file: ./.github/codeql/python-config.yml
languages: python
- name: Run CodeQL
uses: github/codeql-action/analyze@v3
with:
category: "/language:python"
analyze-go:
name: Analyze Go
runs-on: ubuntu-latest
needs: prepare
if: needs.prepare.outputs.go == 'true'
strategy:
matrix:
tree:
- src/go
permissions:
security-events: write
steps:
- name: Git clone repository
uses: actions/checkout@v4
with:
submodules: recursive
fetch-depth: 0
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: go
- name: Autobuild
uses: github/codeql-action/autobuild@v3
with:
working-directory: ${{ matrix.tree }}
- name: Run CodeQL
uses: github/codeql-action/analyze@v3
with:
category: "/language:go"