mirror of
https://github.com/github/codeql.git
synced 2025-12-24 12:46:34 +01:00
b58c856756
Repositories can be configured with Default access (restricted) https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token Best practice says that workflows should declare the minimal permissions they require. Without declaring permissions, paranoid forks fail miserably.
46 lines
1.3 KiB
YAML
46 lines
1.3 KiB
YAML
name: Build framework coverage reports
|
|
|
|
on:
|
|
workflow_dispatch:
|
|
inputs:
|
|
qlModelShaOverride:
|
|
description: "github/codeql repo SHA used for looking up the CSV models"
|
|
required: false
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
jobs:
|
|
build:
|
|
runs-on: ubuntu-latest
|
|
|
|
steps:
|
|
- name: Clone self (github/codeql)
|
|
uses: actions/checkout@v4
|
|
with:
|
|
path: script
|
|
- name: Clone self (github/codeql) for analysis
|
|
uses: actions/checkout@v4
|
|
with:
|
|
path: codeqlModels
|
|
ref: ${{ github.event.inputs.qlModelShaOverride || github.ref }}
|
|
- name: Set up Python 3.8
|
|
uses: actions/setup-python@v4
|
|
with:
|
|
python-version: 3.8
|
|
- name: Download CodeQL CLI
|
|
uses: ./script/.github/actions/fetch-codeql
|
|
- name: Build modeled package list
|
|
run: |
|
|
python script/misc/scripts/library-coverage/generate-report.py ci codeqlModels script
|
|
- name: Upload CSV package list
|
|
uses: actions/upload-artifact@v3
|
|
with:
|
|
name: framework-coverage-csv
|
|
path: framework-coverage-*.csv
|
|
- name: Upload RST package list
|
|
uses: actions/upload-artifact@v3
|
|
with:
|
|
name: framework-coverage-rst
|
|
path: framework-coverage-*.rst
|