For bug 70996 #610
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: "CodeQL Scanner" | |
| on: | |
| push: | |
| branches: | |
| - 'master' | |
| - 'release/**' | |
| - 'hotfix/**' | |
| paths-ignore: | |
| - '**/README.md' | |
| - '**/LICENSE' | |
| - '.github/**' | |
| #pull_request: | |
| # branches: | |
| # - 'master' | |
| # - 'release/**' | |
| # - 'hotfix/**' | |
| schedule: | |
| - cron: '00 19 * * 5' | |
| # This job take a lot of time, so if the number of worker | |
| # processes from one branch or one PR exceeds 1, all previous | |
| # running processes will be automatically canceled to avoid the accumulation | |
| # of a large number of concurrent workers | |
| concurrency: | |
| group: codeql-${{ github.event.pull_request.number || github.ref_name }} | |
| cancel-in-progress: true | |
| env: | |
| SOURCE_ROOT: "/build/core" | |
| jobs: | |
| analyze: | |
| name: Analyze | |
| runs-on: ${{ 'ubuntu-latest' }} | |
| container: | |
| image: ${{ matrix.image }} | |
| options: --privileged | |
| volumes: | |
| - /usr/local/lib:/foovolume/android | |
| - /usr/local/share:/foovolume/boost | |
| - /usr/share:/foovolume/dotnet | |
| - /opt:/foovolume/opt | |
| - /opt/hostedtoolcache:/foovolume/tool | |
| timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }} | |
| permissions: | |
| actions: read | |
| contents: read | |
| security-events: write | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| language: [ 'c-cpp' ] | |
| image: ["ubuntu:20.04"] | |
| # CodeQL supports [ 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'swift' ] | |
| # Use only 'java-kotlin' to analyze code written in Java, Kotlin or both | |
| # Use only 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both | |
| # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support | |
| steps: | |
| - uses: actions/setup-node@v4 | |
| with: | |
| node-version: 20 | |
| - name: make free space in container | |
| run: | | |
| rm -rf /foovolume/android/android | |
| rm -rf /foovolume/dotnet/dotnet | |
| rm -rf /foovolume/boost/boost | |
| rm -rf /foovolume/opt/ghc | |
| rm -rf /foovolume/tool/* | |
| df -h | |
| # Prepare container environment | |
| # Install some deps | |
| # Set cache restore keys | |
| - name: Prepare environment | |
| id: prepare | |
| shell: bash | |
| env: | |
| TZ: Etc/UTC | |
| run: | | |
| pwd | |
| ls -la | |
| ln -snf /usr/share/zoneinfo/$TZ /etc/localtime | |
| echo $TZ > /etc/timezone | |
| apt-get update | |
| apt-get install -y python3 python2 sudo curl jq git | |
| apt-get install -y python || true | |
| rm /usr/bin/python || true | |
| ln -s /usr/bin/python2 /usr/bin/python | |
| mkdir -p /build | |
| git clone --depth 1 \ | |
| --single-branch \ | |
| --branch ${{ github.base_ref || github.ref_name }} https://github.com/ONLYOFFICE/core.git ${SOURCE_ROOT} | |
| git clone --depth 1 \ | |
| --single-branch \ | |
| --branch ${{ github.base_ref || github.ref_name }} https://github.com/ONLYOFFICE/build_tools.git /build/build_tools | |
| echo "party-key=$(curl -L -H "Accept: application/vnd.github+json" \ | |
| -H "X-GitHub-Api-Version: 2022-11-28" \ | |
| "https://api.github.com/repos/ONLYOFFICE/core/commits?per_page=1&path=/Common/3dParty&sha=${{ github.base_ref || github.ref_name }}" | \ | |
| jq -r '.[].sha')" >> "$GITHUB_OUTPUT" | |
| echo "qt-key=$(cat /build/build_tools/tools/linux/automate.py | egrep -m1 -o "qt_source_([0-9])?.([0-9])?.([0-9])?")" >> "$GITHUB_OUTPUT" | |
| # Restore 3dParty from cache if cache key is match | |
| - uses: actions/cache/restore@v3 | |
| id: restore-3d | |
| with: | |
| path: /build/core/Common/3dParty | |
| key: 3dParty-${{ steps.prepare.outputs.party-key }} | |
| # Restore qt tool from cache if cache key is match | |
| - uses: actions/cache/restore@v3 | |
| id: restore-qt | |
| with: | |
| path: /build/build_tools/tools/linux/qt_build | |
| key: qt-${{ steps.prepare.outputs.qt-key }} | |
| # NOTE: | |
| # init codeql with custom source-root dir | |
| # because sources code was checkout with git from cli | |
| # NOT with checkout action | |
| # Also. Init and scan with codeql only if all cache hit | |
| # otherwise will no initialization, just build and cache depends | |
| - name: Initialize CodeQL | |
| if: > | |
| steps.restore-3d.outputs.cache-hit == 'true' | |
| && steps.restore-qt.outputs.cache-hit == 'true' | |
| uses: github/codeql-action/init@v3 | |
| with: | |
| languages: ${{ matrix.language }} | |
| source-root: ${{ env.SOURCE_ROOT }} | |
| - name: build | |
| shell: bash | |
| run: | | |
| cd /build/build_tools/tools/linux | |
| python3 ./automate.py core | |
| - name: Perform CodeQL Analysis | |
| if: > | |
| steps.restore-3d.outputs.cache-hit == 'true' | |
| && steps.restore-qt.outputs.cache-hit == 'true' | |
| uses: github/codeql-action/analyze@v3 | |
| with: | |
| category: "/language:${{matrix.language}}" | |
| # Make new 3dParty cache if restore action do not restore any cache | |
| - uses: actions/cache/save@v3 | |
| if: steps.restore-3d.outputs.cache-hit != 'true' | |
| id: save-3d | |
| with: | |
| path: /build/core/Common/3dParty | |
| key: 3dParty-${{ steps.prepare.outputs.party-key }} | |
| # Make new qt tool cache if restore action do not restore any cache | |
| - uses: actions/cache/save@v3 | |
| if: steps.restore-qt.outputs.cache-hit != 'true' | |
| id: save-qt | |
| with: | |
| path: /build/build_tools/tools/linux/qt_build | |
| key: qt-${{ steps.prepare.outputs.qt-key }} |