-
Notifications
You must be signed in to change notification settings - Fork 600
144 lines (119 loc) · 3.8 KB
/
codeql.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
name: 'CodeQL'
on:
workflow_dispatch:
jobs:
analyze-javascript:
name: Analyze JavaScript
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Use Node.js
uses: actions/setup-node@v4
with:
node-version: '20'
- uses: pnpm/action-setup@v3
with:
version: 9
run_install: false
- name: Get pnpm store directory
shell: bash
run: |
echo "STORE_PATH=$(pnpm store path --silent)" >> $GITHUB_ENV
- uses: actions/cache@v4
name: Setup pnpm cache
with:
path: |
${{ env.STORE_PATH }}
.nx/cache
key: ${{ runner.os }}-pnpm-store-${{ hashFiles('**/pnpm-lock.yaml') }}
restore-keys: |
${{ runner.os }}-pnpm-store
- name: Install dependencies
run: |
corepack enable
pnpm install
# - name: Build npm packages
# run: pnpm run all:build
- name: Get head SHA
id: get-head-sha
run: echo "SHA=$(git rev-parse origin/${{ github.ref_name }})" >> "$GITHUB_OUTPUT"
# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: javascript
config-file: ./.github/codeql/codeql-config.yml
- name: Autobuild
uses: github/codeql-action/autobuild@v3
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
with:
category: "/language:javascript"
ref: refs/heads/${{ github.ref_name }}
sha: ${{ steps.get-head-sha.outputs.SHA }}
analyze-csharp:
name: Analyze C#
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Get head SHA
id: get-head-sha
run: echo "SHA=$(git rev-parse origin/${{ github.ref_name }})" >> "$GITHUB_OUTPUT"
# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: csharp
config-file: ./.github/codeql/codeql-config.yml
- name: Autobuild
uses: github/codeql-action/autobuild@v3
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
with:
category: "/language:csharp"
ref: refs/heads/${{ github.ref_name }}
sha: ${{ steps.get-head-sha.outputs.SHA }}
fetch:
runs-on: devextreme-shr2
name: Fetch analysis
needs: [ analyze-javascript, analyze-csharp ]
steps:
- name: Get Latest Analysis info
run: |
RESPONSE=$(curl \
-H "Accept: application/vnd.github+json" \
-H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \
https://api.github.com/repos/${{ github.repository }}/code-scanning/alerts)
echo 'ALERTS<<EOF' >> $GITHUB_ENV
echo $RESPONSE >> $GITHUB_ENV
echo 'EOF' >> $GITHUB_ENV
notify:
runs-on: devextreme-shr2
name: Send notifications
needs: [ fetch ]
steps:
- name: Get Date
id: get-date
shell: bash
run: echo "date=$(/bin/date -u "+%s")" >> $GITHUB_OUTPUT
- uses: actions/cache@v4
id: notify-cache
with:
path: notify.json
key: ${{ runner.os }}-${{ steps.get-date.outputs.date }}
restore-keys: ${{ runner.os }}
- name: Teams Notification
uses: DevExpress/github-actions/send-teams-notification@v1
with:
hook_url: ${{ secrets.TEAMS_HOOK_TMP }}
alerts: ${{ env.ALERTS }}