CodeQL Advanced #1
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: "CodeQL Advanced" | |
| on: | |
| schedule: | |
| - cron: "0 0 1 * *" | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: false | |
| permissions: | |
| security-events: write | |
| packages: read | |
| actions: read | |
| contents: read | |
| defaults: | |
| run: | |
| shell: bash | |
| jobs: | |
| analyze: | |
| name: Analyze (${{ matrix.language }}) | |
| runs-on: ubuntu-24.04 | |
| timeout-minutes: 120 | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| - language: csharp | |
| build-mode: autobuild | |
| - language: c-cpp | |
| build-mode: manual | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v6 | |
| - name: Setup .NET SDK | |
| if: matrix.language == 'csharp' | |
| uses: actions/setup-dotnet@v5 | |
| with: | |
| global-json-file: global.json | |
| - name: Install Qt 6.11.0 | |
| if: matrix.language == 'c-cpp' | |
| uses: jurplel/install-qt-action@v4 | |
| with: | |
| version: '6.11.0' | |
| target: desktop | |
| arch: linux_gcc_64 | |
| modules: >- | |
| qt5compat qt3d qtcharts qtconnectivity qtgraphs qtgrpc | |
| qthttpserver qtimageformats qtlottie qtmultimedia | |
| qtnetworkauth qtpositioning qtquick3d qtquick3dphysics | |
| qtquicktimeline qtremoteobjects qtscxml qtsensors | |
| qtserialbus qtserialport qtshadertools qtspeech | |
| qtvirtualkeyboard qtwebchannel qtwebsockets qtwebview | |
| qtlocation | |
| cache: true | |
| setup-python: true | |
| install-deps: true | |
| - name: Export Qt environment | |
| if: matrix.language == 'c-cpp' | |
| run: | | |
| set -euo pipefail | |
| test -d "${QT_ROOT_DIR}" | |
| qt6_dir="${QT_ROOT_DIR}/lib/cmake/Qt6" | |
| test -f "${qt6_dir}/Qt6Config.cmake" | |
| echo "QT_DIR=${QT_ROOT_DIR}" >> "${GITHUB_ENV}" | |
| echo "Qt6_DIR=${qt6_dir}" >> "${GITHUB_ENV}" | |
| echo "QT_DIR=${QT_ROOT_DIR}" | |
| echo "Qt6_DIR=${qt6_dir}" | |
| - name: Verify hosted native tools | |
| if: matrix.language == 'c-cpp' | |
| run: | | |
| clang --version | head -n 1 | |
| clang++ --version | head -n 1 | |
| wget --version | head -n 1 | |
| unzip -v | head -n 1 | |
| - name: Install CMake 4.2.3 | |
| if: matrix.language == 'c-cpp' | |
| run: | | |
| cmake_url='https://github.com/Kitware/CMake/releases/download/v4.2.3/cmake-4.2.3-linux-x86_64.tar.gz' | |
| cmake_sha256='5bb505d5e0cca0480a330f7f27ccf52c2b8b5214c5bba97df08899f5ef650c23' | |
| cmake_archive="${RUNNER_TEMP}/cmake.tar.gz" | |
| cmake_root="${RUNNER_TEMP}/cmake" | |
| wget -qO "${cmake_archive}" "${cmake_url}" | |
| echo "${cmake_sha256} ${cmake_archive}" | sha256sum --check --status | |
| mkdir -p "${cmake_root}" | |
| tar -xzf "${cmake_archive}" -C "${cmake_root}" --strip-components=1 | |
| echo "${cmake_root}/bin" >> "${GITHUB_PATH}" | |
| - name: Install FASTBuild | |
| if: matrix.language == 'c-cpp' | |
| run: | | |
| fastbuild_url='https://fastbuild.org/downloads/v1.19/FASTBuild-Linux-x64-v1.19.zip' | |
| fastbuild_sha256='8d07bcf7e6840409ee96105caf93093a3a5efc6271a635cbb4e91021472e95a7' | |
| fastbuild_archive="${RUNNER_TEMP}/fastbuild.zip" | |
| fastbuild_root="${RUNNER_TEMP}/fastbuild" | |
| wget -qO "${fastbuild_archive}" "${fastbuild_url}" | |
| echo "${fastbuild_sha256} ${fastbuild_archive}" | sha256sum --check --status | |
| mkdir -p "${fastbuild_root}" | |
| unzip -q "${fastbuild_archive}" -d "${fastbuild_root}" | |
| chmod +x "${fastbuild_root}/fbuild" "${fastbuild_root}/fbuildworker" | |
| ln -sf "${fastbuild_root}/fbuild" "${fastbuild_root}/FBuild" | |
| echo "${fastbuild_root}" >> "${GITHUB_PATH}" | |
| - name: Resolve FASTBuild cache path | |
| if: matrix.language == 'c-cpp' | |
| id: fbcache | |
| run: | | |
| sudo mkdir -p /cache/fastbuild | |
| sudo chown "$USER":"$USER" /cache/fastbuild | |
| echo "path=/cache/fastbuild" >> "${GITHUB_OUTPUT}" | |
| - name: Restore FASTBuild compilation cache | |
| if: matrix.language == 'c-cpp' | |
| uses: actions/cache@v5 | |
| with: | |
| path: ${{ steps.fbcache.outputs.path }} | |
| key: fbcache-codeql-linux-${{ github.sha }} | |
| restore-keys: fbcache-codeql-linux- | |
| - name: Verify tool versions | |
| if: matrix.language == 'c-cpp' | |
| run: | | |
| echo "CMake: $(cmake --version | head -n 1)" | |
| echo "Clang: $(clang++ --version | head -n 1)" | |
| echo "FASTBuild: $(FBuild -version | head -n 1)" | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/init@v4 | |
| with: | |
| languages: ${{ matrix.language }} | |
| build-mode: ${{ matrix.build-mode }} | |
| queries: security-and-quality | |
| config: | | |
| paths: | |
| - src | |
| - tests | |
| - native | |
| paths-ignore: | |
| - build | |
| - '**/bin/**' | |
| - '**/obj/**' | |
| - name: Autobuild | |
| if: matrix.build-mode == 'autobuild' | |
| uses: github/codeql-action/autobuild@v4 | |
| - name: Configure native build | |
| if: matrix.language == 'c-cpp' | |
| env: | |
| CC: clang | |
| CXX: clang++ | |
| run: cmake --preset linux-ci | |
| - name: Build native code | |
| if: matrix.language == 'c-cpp' | |
| env: | |
| CC: clang | |
| CXX: clang++ | |
| run: cmake --build --preset linux-ci | |
| - name: Trim FASTBuild cache | |
| if: always() && matrix.language == 'c-cpp' | |
| run: | | |
| if [[ -d "${GITHUB_WORKSPACE}/build/linux-ci" ]]; then | |
| ( | |
| cd "${GITHUB_WORKSPACE}/build/linux-ci" | |
| FBuild -cachetrim 10240 | |
| ) | |
| fi | |
| - name: Perform CodeQL Analysis | |
| uses: github/codeql-action/analyze@v4 | |
| with: | |
| category: "/language:${{ matrix.language }}" |