@@ -2,12 +2,12 @@ name: "Code Scanning"
22
33on :
44 push :
5- branches : [ "main" ]
5+ branches : ["main"]
66 pull_request :
77 # The branches below must be a subset of the branches above
8- branches : [ "main" ]
8+ branches : ["main"]
99 schedule :
10- - cron : ' 39 12 * * 2'
10+ - cron : " 39 12 * * 2"
1111 workflow_dispatch :
1212
1313permissions :
1919jobs :
2020 analyze-javascript :
2121 name : Analyze
22- runs-on : ' ubuntu-latest'
22+ runs-on : " ubuntu-latest"
2323 permissions :
2424 actions : read
2525 contents : read
2626 security-events : write
2727
2828 steps :
29- - name : Checkout repository
30- uses : actions/checkout@v6
29+ - name : Checkout repository
30+ uses : actions/checkout@v6
3131
32- - name : Prepare local CodeQL model packs
33- run : |
34- mkdir -p .github/codeql/extensions
35- for ext in $(find . -name 'qlpack.yml' -exec fgrep -l dataExtensions {} \;); do
36- dir=$(dirname $ext)
37- echo "Moving $ext to .github/codeql/extensions/$dir"
38- mkdir -p .github/codeql/extensions/$dir
39- mv $dir .github/codeql/extensions/$dir
40- done
32+ - name : Extract CodeQL bundle version from qlt.conf.json
33+ run : |
34+ echo "BUNDLE_VERSION=$(jq .CodeQLCLIBundle qlt.conf.json -r)" >> $GITHUB_ENV
4135
42- name : Extract CodeQL bundle version from qlt.conf.json
43- run : |
44- echo "BUNDLE_VERSION=$(jq .CodeQLCLIBundle qlt.conf.json -r)" >> $GITHUB_ENV
36+ name : Initialize CodeQL
37+ id : initialize-codeql
38+ uses : github/codeql-action/init@v4
39+ env :
40+ # Add our custom extractor to the CodeQL search path
41+ CODEQL_ACTION_EXTRA_OPTIONS : ' {"database":{"init":["--search-path","${{ github.workspace }}/extractors"]}}'
42+ with :
43+ languages : javascript
44+ config-file : ./.github/codeql/codeql-config.yaml
45+ db-location : ${{ runner.temp }}/codeql-database
46+ tools : https://github.com/github/codeql-action/releases/download/${{env.BUNDLE_VERSION}}/codeql-bundle-linux64.tar.gz
47+ debug : true
4548
46- name : Initialize CodeQL
47- id : initialize-codeql
48- uses : github/codeql-action/init@v4
49- env :
50- # Add our custom extractor to the CodeQL search path
51- CODEQL_ACTION_EXTRA_OPTIONS : ' {"database":{"init":["--search-path","${{ github.workspace }}/extractors"]}}'
52- with :
53- languages : javascript
54- config-file : ./.github/codeql/codeql-config.yaml
55- db-location : ${{ runner.temp }}/codeql-database
56- tools : https://github.com/github/codeql-action/releases/download/${{env.BUNDLE_VERSION}}/codeql-bundle-linux64.tar.gz
57- debug : true
49+ - name : Run CDS extractor
50+ shell : bash
51+ run : |
52+ export CODEQL_DIST="$(dirname "${{ steps.initialize-codeql.outputs.codeql-path }}")"
53+ export CODEQL_EXTRACTOR_JAVASCRIPT_WIP_DATABASE="${{ runner.temp }}/codeql-database/javascript"
54+ ${{ github.workspace }}/scripts/compile-cds.sh
5855
59- - name : Run CDS extractor
60- shell : bash
61- run : |
62- export CODEQL_DIST="$(dirname "${{ steps.initialize-codeql.outputs.codeql-path }}")"
63- export CODEQL_EXTRACTOR_JAVASCRIPT_WIP_DATABASE="${{ runner.temp }}/codeql-database/javascript"
64- ${{ github.workspace }}/scripts/compile-cds.sh
56+ - name : Perform CodeQL Analysis
57+ id : analyze
58+ uses : github/codeql-action/analyze@v4
59+ env :
60+ LGTM_INDEX_XML_MODE : all
61+ LGTM_INDEX_FILETYPES : " .json:JSON "
6562
66- name : Perform CodeQL Analysis
67- id : analyze
68- uses : github/codeql-action/analyze@v4
69- env :
70- LGTM_INDEX_XML_MODE : all
71- LGTM_INDEX_FILETYPES : " .json:JSON"
63+ - name : Setup Python
64+ uses : actions/setup-python@v5
65+ with :
66+ python-version : " 3.10"
7267
73- - name : Setup Python
74- uses : actions/setup-python@v5
75- with :
76- python-version : ' 3.10 '
68+ - uses : actions/cache@v4
69+ with :
70+ path : ~/.cache/pip
71+ key : ${{ runner.os }}-pip
7772
78- - uses : actions/cache@v4
79- with :
80- path : ~/.cache/pip
81- key : ${{ runner.os }}-pip
73+ - name : Validate results
74+ continue-on-error : true
75+ id : validate
76+ run : |
77+ pip install sarif-tools
78+ sarif --version
79+ sarif diff ${{ steps.analyze.outputs.sarif-output }} .github/workflows/javascript.sarif.expected -o sarif-diff.json
80+ cat sarif-diff.json
81+ ! grep -q "[1-9]" sarif-diff.json
8282
83- - name : Validate results
84- continue-on-error : true
85- id : validate
86- run : |
87- pip install sarif-tools
88- sarif --version
89- sarif diff ${{ steps.analyze.outputs.sarif-output }} .github/workflows/javascript.sarif.expected -o sarif-diff.json
90- cat sarif-diff.json
91- ! grep -q "[1-9]" sarif-diff.json
83+ name : Upload sarif change
84+ if : steps.validate.outcome != 'success'
85+ uses : actions/upload-artifact@v6
86+ with :
87+ name : sarif
88+ path : |
89+ sarif-diff.json
90+ ${{ steps.analyze.outputs.sarif-output }}
9291
93- name : Upload sarif change
94- if : steps.validate.outcome != 'success'
95- uses : actions/upload-artifact@v6
96- with :
97- name : sarif
98- path : |
99- sarif-diff.json
100- ${{ steps.analyze.outputs.sarif-output }}
101-
102- name : Unexpected Code Scanning results
103- if : steps.validate.outcome != 'success'
104- run : |
105- cat sarif-diff.json
106- echo "::error::Unexpected Code Scanning results!" && exit 1
92+ name : Unexpected Code Scanning results
93+ if : steps.validate.outcome != 'success'
94+ run : |
95+ cat sarif-diff.json
96+ echo "::error::Unexpected Code Scanning results!" && exit 1
0 commit comments