CodeQL #637
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
# Run CodeQL to analyze C/C++ and Python code. | |
name: CodeQL | |
on: | |
pull_request: | |
types: [opened, reopened, labeled, synchronize] | |
branches: [master] | |
push: | |
branches: [master] | |
schedule: | |
- cron: "27 2 * * 1" | |
env: | |
DISABLE_TELEMETRY: 1 | |
concurrency: | |
group: codeql-${{ github.ref }} | |
cancel-in-progress: true | |
jobs: | |
prepare: | |
name: Prepare Jobs | |
runs-on: ubuntu-latest | |
outputs: | |
cpp: ${{ steps.cpp.outputs.run }} | |
python: ${{ steps.python.outputs.run }} | |
go: ${{ steps.go.outputs.run }} | |
steps: | |
- name: Clone repository | |
uses: actions/checkout@v4 | |
with: | |
submodules: recursive | |
fetch-depth: 0 | |
- name: Check if we should always run | |
id: always | |
run: | | |
if [ "${{ github.event_name }}" = "pull_request" ]; then | |
if [ "${{ contains(github.event.pull_request.labels.*.name, 'run-ci/codeql') }}" = "true" ]; then | |
echo "run=true" >> "${GITHUB_OUTPUT}" | |
echo '::notice::Found ci/codeql label, unconditionally running all CodeQL checks.' | |
else | |
echo "run=false" >> "${GITHUB_OUTPUT}" | |
fi | |
else | |
echo "run=true" >> "${GITHUB_OUTPUT}" | |
fi | |
- name: Check for C/C++ changes | |
id: cpp | |
run: | | |
if [ "${{ steps.always.outputs.run }}" = "false" ]; then | |
if git diff --name-only origin/${{ github.base_ref }} HEAD | grep -Eq '.*\.[ch](xx|\+\+)?' ; then | |
echo "run=true" >> "${GITHUB_OUTPUT}" | |
echo '::notice::C/C++ code has changed, need to run CodeQL.' | |
else | |
echo "run=false" >> "${GITHUB_OUTPUT}" | |
fi | |
else | |
echo "run=true" >> "${GITHUB_OUTPUT}" | |
fi | |
- name: Check for python changes | |
id: python | |
run: | | |
if [ "${{ steps.always.outputs.run }}" = "false" ]; then | |
if git diff --name-only origin/${{ github.base_ref }} HEAD | grep -Eq 'src/collectors/python.d.plugin/.*\.py' ; then | |
echo "run=true" >> "${GITHUB_OUTPUT}" | |
echo '::notice::Python code has changed, need to run CodeQL.' | |
else | |
echo "run=false" >> "${GITHUB_OUTPUT}" | |
fi | |
else | |
echo "run=true" >> "${GITHUB_OUTPUT}" | |
fi | |
- name: Check for Go changes | |
id: go | |
run: | | |
if [ "${{ steps.always.outputs.run }}" = "false" ]; then | |
if git diff --name-only origin/${{ github.base_ref }} HEAD | grep -Eq 'src/go/*\.go' ; then | |
echo "run=true" >> "${GITHUB_OUTPUT}" | |
echo '::notice::Go code has changed, need to run CodeQL.' | |
else | |
echo "run=false" >> "${GITHUB_OUTPUT}" | |
fi | |
else | |
echo "run=true" >> "${GITHUB_OUTPUT}" | |
fi | |
analyze-cpp: | |
name: Analyze C/C++ | |
runs-on: ubuntu-latest | |
needs: prepare | |
if: needs.prepare.outputs.cpp == 'true' | |
permissions: | |
security-events: write | |
steps: | |
- name: Git clone repository | |
uses: actions/checkout@v4 | |
with: | |
submodules: recursive | |
fetch-depth: 0 | |
- name: Initialize CodeQL | |
uses: github/codeql-action/init@v3 | |
with: | |
languages: cpp | |
config-file: ./.github/codeql/c-cpp-config.yml | |
- name: Prepare environment | |
run: ./packaging/installer/install-required-packages.sh --dont-wait --non-interactive netdata | |
- name: Build netdata | |
run: ./netdata-installer.sh --dont-start-it --disable-telemetry --dont-wait --install-prefix /tmp/install --one-time-build | |
- name: Run CodeQL | |
uses: github/codeql-action/analyze@v3 | |
with: | |
category: "/language:cpp" | |
analyze-python: | |
name: Analyze Python | |
runs-on: ubuntu-latest | |
needs: prepare | |
if: needs.prepare.outputs.python == 'true' | |
permissions: | |
security-events: write | |
steps: | |
- name: Git clone repository | |
uses: actions/checkout@v4 | |
with: | |
submodules: recursive | |
fetch-depth: 0 | |
- name: Initialize CodeQL | |
uses: github/codeql-action/init@v3 | |
with: | |
config-file: ./.github/codeql/python-config.yml | |
languages: python | |
- name: Run CodeQL | |
uses: github/codeql-action/analyze@v3 | |
with: | |
category: "/language:python" | |
analyze-go: | |
name: Analyze Go | |
runs-on: ubuntu-latest | |
needs: prepare | |
if: needs.prepare.outputs.go == 'true' | |
strategy: | |
matrix: | |
tree: | |
- src/go/collectors/go.d.plugin | |
permissions: | |
security-events: write | |
steps: | |
- name: Git clone repository | |
uses: actions/checkout@v4 | |
with: | |
submodules: recursive | |
fetch-depth: 0 | |
- name: Initialize CodeQL | |
uses: github/codeql-action/init@v3 | |
with: | |
languages: go | |
- name: Autobuild | |
uses: github/codeql-action/autobuild@v3 | |
with: | |
working-directory: ${{ matrix.tree }} | |
- name: Run CodeQL | |
uses: github/codeql-action/analyze@v3 | |
with: | |
category: "/language:go" |