Skip to content

🔮 CI CodeQL Scan #201

🔮 CI CodeQL Scan

🔮 CI CodeQL Scan #201

# Static code analysis workflow with CodeQL
name: "🔮 CI CodeQL Scan"
on:
push:
branches: [ master ]
paths:
- '.github/**/*codeql*.yml'
- 'Apps/**'
- 'Modules/**'
- 'Externals/**'
- 'Tests/**'
- 'CMake/**'
- 'CMakeLists.txt'
- 'CMakePresets.json'
pull_request:
branches: [ master ]
paths:
- '.github/**/*codeql*.yml'
- 'Apps/**'
- 'Modules/**'
- 'Externals/**'
- 'Tests/**'
- 'CMake/**'
- 'CMakeLists.txt'
- 'CMakePresets.json'
schedule:
- cron: '20 23 * * 3' # Scheduled workflow will not run in GitHub forks by default
jobs:
analyze:
name: ${{ matrix.name }}
if: ${{ github.repository == 'MethanePowered/MethaneKit' }}
strategy:
fail-fast: false
matrix:
include:
# FIXME: Windows CodeQL analysis is DISABLED because it fails with compiler "error C1060: compiler is out of heap space"
#- os: windows-latest
# name: "Win64_DX_CodeQL-Scan"
# config_preset: "VS2022-Win64-DX-Scan"
# build_preset: "VS2022-Win64-DX-Scan"
- os: ubuntu-latest
name: "Ubuntu_VK_CodeQL-Scan"
config_preset: "Make-Lin-VK-Scan"
build_preset: "Make-Lin-VK-Scan"
- os: macos-latest
name: "MacOS_MTL_CodeQL-Scan"
config_preset: "Xcode-Mac-MTL-Scan"
build_preset: "Xcode-Mac-MTL-Scan"
runs-on: ${{ matrix.os }}
env:
NAME: CodeQL-${{ matrix.os }}
steps:
- name: Install Linux prerequisites
if: ${{ matrix.os == 'ubuntu-latest' }}
run: |
sudo apt update
sudo apt install xcb libx11-dev libx11-xcb-dev libxcb-sync-dev libxcb-randr0-dev
- name: Checkout repository
uses: actions/checkout@v3
- name: Initialize CodeQL
uses: github/codeql-action/init@v2
with:
languages: cpp
config-file: ./.github/codeql/codeql-config.yml
- name: Initialize Externals Cache
id: cache-externals
uses: actions/cache@v3
env:
cache-name: cache-externals
with:
path: Build/Output/ExternalsCache
key: ExternalsCache-${{ matrix.config_preset }}-${{ hashFiles('Externals/*.cmake') }}
- name: CMake Configure Preset ${{ matrix.config_preset }}
run: cmake --preset ${{ matrix.config_preset }} -DMETHANE_CODE_COVERAGE_ENABLED:BOOL=OFF -DMETHANE_TESTS_BUILD_ENABLED:BOOL=OFF
- name: CMake Build Preset ${{ matrix.build_preset }}
run: cmake --build --preset ${{ matrix.build_preset }} --parallel 4
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v2
with:
upload: false
output: results
- name: Filter CodeQL Results
uses: MethanePowered/FilterSarif@master
with:
patterns: |
-Build/Output/**
-Externals/**
-Tests/**
input: results/cpp.sarif
output: results/cpp-filtered.sarif
- name: Upload Filtered CodeQL Results
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: results/cpp-filtered.sarif