security-workflows/.github/workflows/codeql-java.yml at main · braintree/security-workflows · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
name: Code Scanning

on:
  workflow_call:
    inputs:
      java-version:
        description: 'Optional Java version number'
        required: false
        default: 17
        type: number
      build-command:
        description: 'Optional application build command'
        required: false
        type: string
      filter-patterns:
        description: 'Optional comma-separated list of filter patterns'
        required: false
        type: string
      timeout-minutes:
        description: 'Optional override for larger builds'
        required: false
        default: 30
        type: number

permissions:
  security-events: write
  # required to fetch internal or private CodeQL packs
  packages: read
  actions: read
  contents: read

defaults:
  run:
    shell: bash

jobs:
  code-scanning:
    name: Code Scanning
    runs-on: ubuntu-latest
    timeout-minutes: ${{ inputs.timeout-minutes }}
    strategy:
      fail-fast: false

    steps:
      - name: Checkout Repository
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683

      - name: Setup Java
        uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00
        with:
          java-version: ${{ inputs.java-version }}
          distribution: adopt

      - name: Initialize CodeQL
        uses: github/codeql-action/init@ce28f5bb42b7a9f2c824e633a3f6ee835bab6858
        with:
          languages: java-kotlin
          build-mode: manual

      - name: Gradle build (default)
        run: |
          ./gradlew --parallel --no-daemon --no-build-cache \
          clean assemble -x test

      - name: Gradle build (custom)
        run: |
          ./gradlew --parallel --no-daemon --no-build-cache \
          ${{ inputs.build-command }}

      - name: Perform CodeQL Analysis
        id: codeql
        uses: github/codeql-action/analyze@ce28f5bb42b7a9f2c824e633a3f6ee835bab6858
        with:
          category: "/language:java-kotlin"
          output: sarif-results
          upload: failure-only

      - name: Process & Upload SARIF
        uses: braintree/security-workflows/.github/actions/upload-sarif@main
        with:
          sarif_dir: ${{ env.CODEQL_ACTION_SARIF_RESULTS_OUTPUT_DIR }}
          filter_patterns: ${{ inputs.filter-patterns }}