Skip to content

Fix bug 71045

Fix bug 71045 #612

Workflow file for this run

name: "CodeQL Scanner"
on:
push:
branches:
- 'master'
- 'release/**'
- 'hotfix/**'
paths-ignore:
- '**/README.md'
- '**/LICENSE'
- '.github/**'
#pull_request:
# branches:
# - 'master'
# - 'release/**'
# - 'hotfix/**'
schedule:
- cron: '00 19 * * 5'
# This job take a lot of time, so if the number of worker
# processes from one branch or one PR exceeds 1, all previous
# running processes will be automatically canceled to avoid the accumulation
# of a large number of concurrent workers
concurrency:
group: codeql-${{ github.event.pull_request.number || github.ref_name }}
cancel-in-progress: true
env:
SOURCE_ROOT: "/build/core"
jobs:
analyze:
name: Analyze
runs-on: ${{ 'ubuntu-latest' }}
container:
image: ${{ matrix.image }}
options: --privileged
volumes:
- /usr/local/lib:/foovolume/android
- /usr/local/share:/foovolume/boost
- /usr/share:/foovolume/dotnet
- /opt:/foovolume/opt
- /opt/hostedtoolcache:/foovolume/tool
timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }}
permissions:
actions: read
contents: read
security-events: write
strategy:
fail-fast: false
matrix:
language: [ 'c-cpp' ]
image: ["ubuntu:20.04"]
# CodeQL supports [ 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'swift' ]
# Use only 'java-kotlin' to analyze code written in Java, Kotlin or both
# Use only 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both
# Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
steps:
- uses: actions/setup-node@v4
with:
node-version: 20
- name: make free space in container
run: |
rm -rf /foovolume/android/android
rm -rf /foovolume/dotnet/dotnet
rm -rf /foovolume/boost/boost
rm -rf /foovolume/opt/ghc
rm -rf /foovolume/tool/*
df -h
# Prepare container environment
# Install some deps
# Set cache restore keys
- name: Prepare environment
id: prepare
shell: bash
env:
TZ: Etc/UTC
run: |
pwd
ls -la
ln -snf /usr/share/zoneinfo/$TZ /etc/localtime
echo $TZ > /etc/timezone
apt-get update
apt-get install -y python3 python2 sudo curl jq git
apt-get install -y python || true
rm /usr/bin/python || true
ln -s /usr/bin/python2 /usr/bin/python
mkdir -p /build
git clone --depth 1 \
--single-branch \
--branch ${{ github.base_ref || github.ref_name }} https://github.com/ONLYOFFICE/core.git ${SOURCE_ROOT}
git clone --depth 1 \
--single-branch \
--branch ${{ github.base_ref || github.ref_name }} https://github.com/ONLYOFFICE/build_tools.git /build/build_tools
echo "party-key=$(curl -L -H "Accept: application/vnd.github+json" \
-H "X-GitHub-Api-Version: 2022-11-28" \
"https://api.github.com/repos/ONLYOFFICE/core/commits?per_page=1&path=/Common/3dParty&sha=${{ github.base_ref || github.ref_name }}" | \
jq -r '.[].sha')" >> "$GITHUB_OUTPUT"
echo "qt-key=$(cat /build/build_tools/tools/linux/automate.py | egrep -m1 -o "qt_source_([0-9])?.([0-9])?.([0-9])?")" >> "$GITHUB_OUTPUT"
# Restore 3dParty from cache if cache key is match
- uses: actions/cache/restore@v3
id: restore-3d
with:
path: /build/core/Common/3dParty
key: 3dParty-${{ steps.prepare.outputs.party-key }}
# Restore qt tool from cache if cache key is match
- uses: actions/cache/restore@v3
id: restore-qt
with:
path: /build/build_tools/tools/linux/qt_build
key: qt-${{ steps.prepare.outputs.qt-key }}
# NOTE:
# init codeql with custom source-root dir
# because sources code was checkout with git from cli
# NOT with checkout action
# Also. Init and scan with codeql only if all cache hit
# otherwise will no initialization, just build and cache depends
- name: Initialize CodeQL
if: >
steps.restore-3d.outputs.cache-hit == 'true'
&& steps.restore-qt.outputs.cache-hit == 'true'
uses: github/codeql-action/init@v3
with:
languages: ${{ matrix.language }}
source-root: ${{ env.SOURCE_ROOT }}
- name: build
shell: bash
run: |
cd /build/build_tools/tools/linux
python3 ./automate.py core
- name: Perform CodeQL Analysis
if: >
steps.restore-3d.outputs.cache-hit == 'true'
&& steps.restore-qt.outputs.cache-hit == 'true'
uses: github/codeql-action/analyze@v3
with:
category: "/language:${{matrix.language}}"
# Make new 3dParty cache if restore action do not restore any cache
- uses: actions/cache/save@v3
if: steps.restore-3d.outputs.cache-hit != 'true'
id: save-3d
with:
path: /build/core/Common/3dParty
key: 3dParty-${{ steps.prepare.outputs.party-key }}
# Make new qt tool cache if restore action do not restore any cache
- uses: actions/cache/save@v3
if: steps.restore-qt.outputs.cache-hit != 'true'
id: save-qt
with:
path: /build/build_tools/tools/linux/qt_build
key: qt-${{ steps.prepare.outputs.qt-key }}