-
Notifications
You must be signed in to change notification settings - Fork 0
104 lines (104 loc) · 4.25 KB
/
codeql.yml
File metadata and controls
104 lines (104 loc) · 4.25 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
name: "Scan for Security Weaknesses and Exposures"
on:
push:
branches: [ "main", "dev" ]
pull_request:
schedule:
# Regular Scan for Issues (Updated CVEs, CWE detection fingerprints, etc.)
- cron: '35 02,14 * * *'
permissions:
security-events: write
packages: read
actions: read
contents: read
jobs:
analyze:
name: Check for Common CWEs/Security Issues in (${{ matrix.language }}) Source Code
# CodeQL's Swift extractor is macOS-only (Linux support was removed); route
# Swift matrix cell to macos-15. Everything else runs on ubuntu-24.04.
runs-on: ${{ (matrix.language == 'swift' && 'macos-15') || 'ubuntu-24.04' }}
strategy:
fail-fast: false
matrix:
include:
- language: actions
build-mode: none
- language: c-cpp
build-mode: manual
- language: csharp
build-mode: manual
- language: go
build-mode: manual
- language: java-kotlin
build-mode: manual
- language: python
build-mode: none
- language: rust
build-mode: none
- language: swift
build-mode: manual
steps:
- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6
# MUST come before codeql-action/init, otherwise CodeQL's Go tracer
# can't wrap the `go` binary. See
# https://github.com/github/codeql-action/issues/2419
- name: Set up Go
if: matrix.language == 'go'
uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
with:
go-version: "1.24"
cache-dependency-path: exports/simrs-hle-go/go.sum
- name: Initialize CodeQL Code Scanning
uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 #v4.35.2
with:
languages: ${{ matrix.language }}
build-mode: ${{ matrix.build-mode }}
- name: Build C API and JNI Shim for Analysis
if: matrix.language == 'c-cpp'
run: |
rustup default stable
cargo test --manifest-path exports/simrs-hle-java/Cargo.toml --no-run
- name: Build Go Package for Analysis
if: matrix.language == 'go'
run: |
rustup default stable
# Build the C API the Go package links against.
cargo build --manifest-path exports/simrs-hle-capi/Cargo.toml --release
CAPI_DIR="$PWD/exports/simrs-hle-capi/target/release"
HEADER_DIR=$(find "$CAPI_DIR/build" -name 'simrs.h' -printf '%h\n' | head -1)
export CGO_CFLAGS="-I$HEADER_DIR"
export CGO_LDFLAGS="-L$CAPI_DIR -lsimrs_hle_capi"
export LD_LIBRARY_PATH="$CAPI_DIR"
# Actually compile the Go sources so CodeQL can index them.
# Use GOTOOLCHAIN=local to prevent Go from auto-downloading a
# newer toolchain (which wouldn't inherit CodeQL's LD_PRELOAD).
export GOTOOLCHAIN=local
cd exports/simrs-hle-go
go build ./...
go test -c -o /dev/null ./...
- name: Build Swift Package for Analysis
if: matrix.language == 'swift'
run: |
rustup default stable
cargo build --manifest-path exports/simrs-hle-capi/Cargo.toml
swift build --package-path exports/simrs-hle-swift
- name: Build Java/Kotlin Bindings for Analysis
if: matrix.language == 'java-kotlin'
run: |
rustup default stable
curl -sL https://github.com/JetBrains/kotlin/releases/download/v2.3.20/kotlin-compiler-2.3.20.zip -o /tmp/kotlinc.zip
unzip -q /tmp/kotlinc.zip -d $HOME/
echo "$HOME/kotlinc/bin" >> $GITHUB_PATH
export PATH="$HOME/kotlinc/bin:$PATH"
cargo test --manifest-path exports/simrs-hle-java/Cargo.toml --no-run
- name: Build .NET Bindings for Analysis
if: matrix.language == 'csharp'
run: |
rustup default stable
cargo build --manifest-path exports/simrs-hle-capi/Cargo.toml
dotnet build exports/simrs-hle-dotnet/SimRS.sln
- name: Perform CodeQL Code Analysis
uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 #v4.35.2
with:
category: "/language:${{matrix.language}}"