hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-03-06 15:49:08 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
5fa1c04e2aeb32b31ea789de9461fdcecf81f05b
codeql/.github/workflows/nightly-changes.yml
Esben Sparre Andreasen d49db9298c QL: change code-scanning branch
2021-10-18 20:58:02 +02:00

132 lines
4.3 KiB
YAML
Raw Blame History

name: "Nightly analysis of changes in standard repos"
on:
workflow_dispatch:
schedule:
- cron: '15 4 * * *'
jobs:
build:
uses: github/codeql-ql/.github/workflows/build.yml@main
with:
os: '[ "ubuntu-latest" ]'
prepare-alert-branch:
runs-on: ubuntu-latest
steps:
- name: Checkout code-scanning alert branch
uses: actions/checkout@v2
with:
ref: nightly-changes-alerts
- name: Checkout codeql
uses: actions/checkout@v2
with:
repository: github/codeql
path: codeql
- name: Checkout codeql-go
uses: actions/checkout@v2
with:
repository: github/codeql-go
path: codeql-go
- name: Store relevant files
run: |
git config --global user.name "${GITHUB_ACTOR}"
git config --global user.email "${GITHUB_ACTOR}+github/codeql-ql@users.noreply.github.com"
# see repo-tests/import-repositories.sh
for repo in codeql codeql-go; do
git -C "$repo" rev-parse HEAD > "$repo.txt";
# remove upgrades and tests (heuristic)
find "$repo" -depth -type d \( -path "*/upgrades" -o -path "*/ql/test" \) -exec rm -rf {} \; ;
# only preserve files mentioned in tools/autobuild.sh
find "$repo" -type f -not \( -name "*.qll" -o -name "*.ql" -o -name "*.dbscheme" -o -name qlpack.yml \) -exec rm -f {} \; ;
# remove empty directories (git does not care though)
find "$repo" -type d -empty -delete;
git add "$repo" "$repo.txt";
git commit --allow-empty -m "Add $repo sources ($(tr -d '\n' < $repo.txt))";
done
git push
analyze:
name: Analyze
needs:
- build
- prepare-alert-branch
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write
steps:
- name: Download pack
uses: actions/download-artifact@v2
with:
name: codeql-ql-pack
path: ${{ runner.temp }}/codeql-ql-pack-artifact
- name: Prepare pack
run: |
unzip "${PACK_ARTIFACT}/*.zip" -d "${PACK}"
env:
PACK_ARTIFACT: ${{ runner.temp }}/codeql-ql-pack-artifact
PACK: ${{ runner.temp }}/pack
- name: Hack codeql-action options
run: |
JSON=$(jq -nc --arg pack "${PACK}" '.resolve.queries=["--search-path", $pack] | .resolve.extractor=["--search-path", $pack] | .database.init=["--search-path", $pack]')
echo "CODEQL_ACTION_EXTRA_OPTIONS=${JSON}" >> ${GITHUB_ENV}
env:
PACK: ${{ runner.temp }}/pack
- name: Checkout code-scanning alert branch
uses: actions/checkout@v2
with:
ref: nightly-changes-alerts
- name: Initialize CodeQL
uses: github/codeql-action/init@esbena/ql
with:
languages: ql
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@esbena/ql
with:
upload: false
output: ${{ runner.temp }}/sarifs
add-snippets: true
- name: Upload results artifact
uses: actions/upload-artifact@v2
with:
name: results
path: ${{ runner.temp }}/sarifs
- name: Obtain git info for sarif upload
id: git-info
run: |
echo "::set-output name=commit_sha::$(git log -1 --format=%H | tr -d '\n')"
echo "::set-output name=ref::refs/heads/nightly-changes-alerts"
- name: Upload results to code-scanning
run: |
URL="https://api.github.com/repos/github/codeql-ql/code-scanning/sarifs"
ENCODED_SARIF_FILE=ql.sarif.encoded
gzip -c "${SARIFS}/ql.sarif" | base64 -w0 > "${ENCODED_SARIF_FILE}"
ARGS_FILE=args.json
jq -nc --arg commit_sha "${COMMIT_SHA}" --arg ref "${REF}" --rawfile sarif "${ENCODED_SARIF_FILE}" '.commit_sha=$commit_sha | .ref=$ref | .sarif=$sarif' > "${ARGS_FILE}"
curl -H "Authorization: token ${GITHUB_TOKEN}" -H "Accept: application/vnd.github.v3+json" "${URL}" -d "@${ARGS_FILE}"
env:
COMMIT_SHA: ${{ steps.git-info.outputs.commit_sha }}
REF: ${{ steps.git-info.outputs.ref }}
SARIFS: ${{ runner.temp }}/sarifs
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
Reference in New Issue View Git Blame Copy Permalink