From 43c5399b628ef504db70bfaa8416acf8aeaf50dc Mon Sep 17 00:00:00 2001
From: Thibault Charbonnier <thibaultcha@me.com>
Date: Tue, 11 Jun 2024 12:42:57 -0700
Subject: [PATCH] chore(ci) move CodeQL analysis to its own recurring workflow

See #503
---
 .github/workflows/ci-large.yml                | 15 ------
 .github/workflows/ci.yml                      | 15 ------
 .../{job-codeql-analyzer.yml => codeql.yml}   | 54 ++++++++++---------
 3 files changed, 29 insertions(+), 55 deletions(-)
 rename .github/workflows/{job-codeql-analyzer.yml => codeql.yml} (57%)

diff --git a/.github/workflows/ci-large.yml b/.github/workflows/ci-large.yml
index 3fc7e3c10..77f731d00 100644
--- a/.github/workflows/ci-large.yml
+++ b/.github/workflows/ci-large.yml
@@ -130,21 +130,6 @@ jobs:
       ssl: ${{ matrix.ssl }}
       debug: ${{ matrix.debug }}
 
-  codeql:
-    name: 'CodeQL analyzer'
-    #timeout-minutes: see job-codeql-analyzer.yml
-    strategy:
-      fail-fast: false
-      matrix:
-        language: ["c-cpp"]
-        openresty: [1.25.3.1]
-        runtime: [wasmtime, wasmer, v8]
-    uses: ./.github/workflows/job-codeql-analyzer.yml
-    with:
-      language: ${{ matrix.language }}
-      openresty: ${{ matrix.openresty }}
-      runtime: ${{ matrix.runtime }}
-
   build:
     name: 'Build'
     #if: ${{ false }}
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index d90912a20..a6e6193a8 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -303,21 +303,6 @@ jobs:
       ssl: ${{ matrix.ssl }}
       debug: ${{ matrix.debug }}
 
-  codeql:
-    name: 'CodeQL analyzer'
-    #timeout-minutes: see job-codeql-analyzer.yml
-    strategy:
-      fail-fast: false
-      matrix:
-        language: ["c-cpp"]
-        openresty: [1.25.3.1]
-        runtime: [wasmtime, wasmer, v8]
-    uses: ./.github/workflows/job-codeql-analyzer.yml
-    with:
-      language: ${{ matrix.language }}
-      openresty: ${{ matrix.openresty }}
-      runtime: ${{ matrix.runtime }}
-
   build:
     name: 'Build'
     #if: ${{ false }}
diff --git a/.github/workflows/job-codeql-analyzer.yml b/.github/workflows/codeql.yml
similarity index 57%
rename from .github/workflows/job-codeql-analyzer.yml
rename to .github/workflows/codeql.yml
index 8c7651999..bc4d2528b 100644
--- a/.github/workflows/job-codeql-analyzer.yml
+++ b/.github/workflows/codeql.yml
@@ -1,28 +1,20 @@
 name: CodeQL
 
 on:
-  workflow_call:
-    inputs:
-      language:
-        required: true
-        type: string
-      openresty:
-        required: true
-        type: string
-      runtime:
-        required: true
-        type: string
+  push:
+    branches: main
+    paths-ignore:
+      - '**/*.md'
+      - '**/release.yml'
+      - '**/ci-large.yml'
+      - 'assets/release/Dockerfiles/*'
+  #pull_request:
+    #branches: '**'
 
 defaults:
   run:
     shell: bash
 
-env:
-  NGX_BUILD_OPENRESTY: ${{ inputs.openresty }}
-  NGX_BUILD_DEBUG: 1
-  NGX_BUILD_SSL: 1
-  NGX_BUILD_DYNAMIC_MODULE: 1
-
 jobs:
   codeql:
     name: 'CodeQL analyzer'
@@ -32,14 +24,20 @@ jobs:
       actions: read
       contents: read
       security-events: write
-    outputs:
-      sarif_file: ${{ steps.sarif-filename.outputs.name }}
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - language: c-cpp
+            build-mode: manual
+            openresty: 1.25.3.1
+            runtime: v8 # v8bridge
     steps:
       - uses: actions/checkout@v4
       - name: Setup CodeQL
         uses: github/codeql-action/init@v3
         with:
-          languages: ${{ inputs.language }}
+          languages: ${{ matrix.language }}
       - name: 'Setup cache - work/ dir'
         uses: actions/cache@v4
         if: ${{ !env.ACT }}
@@ -48,11 +46,17 @@ jobs:
             work/downloads
             work/runtimes
             work/openssl
-          key: codeql-work-${{ inputs.runtime }}-${{ hashFiles('util/**/*.sh', 'util/**/*.pl', 'util/**/*.awk', '.github/**/*.yml', '.github/**/*.sh', '.github/**/*.js', 'rust-toolchain', 'Makefile') }}
+          key: codeql-work-${{ matrix.os }}-${{ matrix.cc }}-${{ matrix.ngx }}-${{ matrix.openresty }}-${{ matrix.runtime }}-${{ hashFiles('util/**/*.sh', 'util/**/*.pl', 'util/**/*.awk', '.github/**/*.yml', '.github/**/*.sh', '.github/**/*.js', 'rust-toolchain', 'Makefile') }}
       - name: Setup Wasm runtime
-        run: ./util/runtime.sh -R ${{ inputs.runtime }} -V ${{ inputs[inputs.runtime] }}
+        run: ./util/runtime.sh -R ${{ matrix.runtime }} -V ${{ matrix[matrix.runtime] }}
       - run: make setup
       - run: make
+        env:
+          NGX_WASM_RUNTIME: ${{ matrix.runtime }}
+          NGX_BUILD_OPENRESTY: ${{ matrix.openresty }}
+          NGX_BUILD_DYNAMIC_MODULE: 1
+          NGX_BUILD_DEBUG: 1
+          NGX_BUILD_SSL: 1
       - name: Perform CodeQL Analysis
         uses: github/codeql-action/analyze@v3
         with:
@@ -60,10 +64,10 @@ jobs:
           output: sarif-results
       - id: sarif-filename
         run: |
-          if [ "${{ inputs.language }}" = "c-cpp" ]; then
+          if [ "${{ matrix.language }}" = "c-cpp" ]; then
             echo "name=cpp" >> $GITHUB_OUTPUT
           else
-            echo "name=${{ inputs.language }}" >> $GITHUB_OUTPUT
+            echo "name=${{ matrix.language }}" >> $GITHUB_OUTPUT
           fi
       - name: Filter SARIF
         uses: advanced-security/filter-sarif@v1
@@ -80,6 +84,6 @@ jobs:
           sarif_file: sarif-results
       - uses: actions/upload-artifact@v4
         with:
-          name: sarif-results-${{ inputs.runtime }}
+          name: sarif-results-${{ matrix.runtime }}
           path: sarif-results
           retention-days: ${{ github.retention_days }}