forked from Mudlet/Mudlet
-
Notifications
You must be signed in to change notification settings - Fork 0
176 lines (150 loc) · 6 KB
/
codeql-analysis.yml
File metadata and controls
176 lines (150 loc) · 6 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
# For most projects, this workflow file will not need changing; you simply need
# to commit it to your repository.
#
# You may wish to alter this file to override the set of languages analyzed,
# or to provide custom queries or build logic.
name: "CodeQL"
on:
push:
branches: [development, main]
schedule:
- cron: '0 7 * * 3'
workflow_dispatch:
jobs:
analyze:
name: ${{matrix.buildname}}
runs-on: ubuntu-latest
permissions:
security-events: write
strategy:
fail-fast: false
matrix:
include:
- language: cpp
buildname: 'CodeQL'
qt: '6.9.0'
triplet: x64-linux
compiler: gcc_64
gcc_compiler_version: 10
os: ubuntu-latest
env:
BOOST_ROOT: ${{github.workspace}}/3rdparty/boost
BOOST_URL: https://github.com/boostorg/boost/releases/download/boost-1.83.0/boost-1.83.0.7z
steps:
- name: Checkout repository
uses: actions/checkout@v6
with:
# We must fetch at least the immediate parents so that if this is
# a pull request then we can checkout the head.
fetch-depth: 2
submodules: recursive
- name: (Windows) Install Qt
uses: jurplel/install-qt-action@v4
if: runner.os == 'Windows'
with:
version: ${{matrix.qt}}
dir: ${{runner.workspace}}
arch: win64_mingw73
cache: true
modules: qt5compat qtmultimedia
- name: (Linux/macOS) Install Qt
uses: jurplel/install-qt-action@v4
if: runner.os == 'Linux' || runner.os == 'macOS'
with:
version: ${{matrix.qt}}
dir: ${{runner.workspace}}
cache: true
modules: qt5compat qtmultimedia
- name: Restore Boost cache
uses: actions/cache@v5
id: cache-boost
with:
path: ${{env.BOOST_ROOT}}
key: boost
- name: Install Boost
if: steps.cache-boost.outputs.cache-hit != 'true'
run: |
if [ "$OS" == "Windows_NT" ]; then
# fix up paths to be forward slashes consistently
BOOST_ROOT=$(echo $BOOST_ROOT | sed 's/\\/\//g')
fi
mkdir -p $BOOST_ROOT
curl --progress-bar --location --output $BOOST_ROOT/download.7z $BOOST_URL
7z -o$BOOST_ROOT x $BOOST_ROOT/download.7z -y -bd
cd $BOOST_ROOT && cp -r boost-*/* .
rm -rf boost-*/* download.7z
shell: bash
# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@v4
with:
config-file: ./.github/codeql/codeql-config.yml
languages: ${{ matrix.language }}
# If you wish to specify custom queries, you can do so here or in a config file.
# By default, queries listed here will override any specified in a config file.
# Prefix the list here with "+" to use these queries and those in the config file.
queries: security-extended, security-and-quality
- name: Use CMake 3.30.3
uses: lukka/get-cmake@v4.3.2
- name: (Linux) Install Lua via GitHub Actions
uses: leafo/gh-actions-lua@v13
if: runner.os == 'Linux'
with:
luaVersion: "5.1.5"
buildCache: false
- name: (Linux) Install Luarocks via GitHub Actions
uses: leafo/gh-actions-luarocks@v6
if: runner.os == 'Linux'
- name: (Linux) Install dependencies
if: runner.os == 'Linux'
run: |
sudo apt-get update
# Install all required dependencies
# liblua5.1-0-dev is needed for CMake to find Lua headers/library
sudo apt-get install libsecret-1-dev ccache pkg-config pcre2-utils expect libzip-dev libglu1-mesa-dev libpulse-dev g++-${{matrix.gcc_compiler_version}} \
libassimp-dev libpcre2-dev libpugixml-dev libsqlite3-dev libyajl-dev libhunspell-dev liblua5.1-0-dev libonig-dev libboost-dev qtkeychain-qt6-dev -y
# switch to GCC that supports C++20 while retaining support for older OS's
sudo update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-${{matrix.gcc_compiler_version}} ${{matrix.gcc_compiler_version}}
sudo update-alternatives --install /usr/bin/g++ g++ /usr/bin/g++-${{matrix.gcc_compiler_version}} ${{matrix.gcc_compiler_version}}
sudo update-alternatives --set gcc /usr/bin/gcc-${{matrix.gcc_compiler_version}}
sudo update-alternatives --set g++ /usr/bin/g++-${{matrix.gcc_compiler_version}}
echo "CCACHE_DIR=${{runner.workspace}}/ccache" >> $GITHUB_ENV
# Install lua-yajl early to generate translation statistics
luarocks install --local lua-yajl
# Allow stats generation script to see location of lua-yajl
eval "$(luarocks path --local --lua-version "5.1")"
echo "LUA_PATH=$LUA_PATH" >> $GITHUB_ENV
echo "LUA_CPATH=$LUA_CPATH" >> $GITHUB_ENV
- name: (Linux/macOS) Set build info
if: runner.os == 'Linux' || runner.os == 'macOS'
run: |
${{github.workspace}}/CI/validate_deployment.sh
${{github.workspace}}/CI/set-build-info.sh
- name: Build Mudlet
uses: lukka/run-cmake@v3
with:
cmakeListsOrSettingsJson: CMakeListsTxtAdvanced
cmakeListsTxtPath: '${{github.workspace}}/CMakeLists.txt'
buildDirectory: '${{runner.workspace}}/b/ninja'
cmakeAppendedArgs: >-
-G Ninja
-DCMAKE_PREFIX_PATH=${{ env.QT_PREFIX != '' && env.QT_PREFIX || env.MINGW_BASE_DIR }}
env:
NINJA_STATUS: '[%f/%t %o/sec] '
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v4
with:
category: "/language:${{ matrix.language }}"
upload: false
output: sarif-results
- name: Filter out 3rdparty dependencies
uses: advanced-security/filter-sarif@v1
with:
patterns: |
-3rdparty/**
input: sarif-results/${{ matrix.language }}.sarif
output: sarif-results/${{ matrix.language }}.sarif
- name: Upload SARIF
uses: github/codeql-action/upload-sarif@v4
with:
sarif_file: sarif-results/${{ matrix.language }}.sarif