Skip to content
CodeQL monorepo

Update monorepo-projects.json #44

Sign in to view logs

Update monorepo-projects.json

Update monorepo-projects.json #44

Workflow file for this run

.github/workflows/codeql-monorepo.yml at 3ec2208
# This workflow determines which sub projects of a monorepo are affected by a PR, and then runs CodeQL analysis on those projects.
#
# It uses Actions from `advanced-security/monorepo-code-scanning-action`
#
# The specific language and paths affected are passed to the CodeQL analysis, along with a custom analysis workflow if one is provided.
#
# For TypeScript/JavaScript, Python, and Ruby, and when using 'build-mode: none' for Java and C#, you can let the CodeQL Action handle the "build" step,
# and only target the project that is being changed by the PR.
#
# For Kotlin, Swift and C/C++, or when not using 'build-mode: none' for Java and C#, you will need to manually build the project,
# in a way that you can define in the optional custom analysis workflow.
#
# If you want to specifiy custom queries, you can do so in the custom analysis workflow.
#
# You can find an example of what that looks like in this repository at .github/workflows/custom-codeql-analysis.yml
name: "CodeQL monorepo"
on:
pull_request:
branches: ["main"]
types:
- opened # scan new PRs
- reopened # scan PRs that are reopened
- synchronize # scan newly pushed commits to PRs
- closed # republish results from merged PRs
jobs:
changes:
runs-on: ubuntu-latest
permissions:
pull-requests: read
contents: read
outputs:
projects: ${{ steps.changes.outputs.projects }}
scan-required: ${{ steps.changes.outputs.scan-required }}
steps:
# # Only checkout the latest commit and just the packages folder
# - name: Checkout repository
# uses: actions/checkout@v4
# with:
# fetch-depth: 1
# sparse-checkout: "packages/*"
# path: 'dynamic'
# # EX:
# # {
# # "javascript-typescript": {
# # "babel-cli": [
# # "packages/babel-cli"
# # ],
# # "babel-code-frame": [
# # "packages/babel-code-frame"
# # ],
# # "babel-compat-data": [
# # "packages/babel-compat-data"
# # ],
# # ............ (for each directory under projects )
# - name: Build language based projects JSON for each package in the monorepo
# run: |
# #!/bin/bash
# cd dynamic
# json="{ \"javascript-typescript\": {"
# for dir in packages/*/
# do
# folder_name=$(basename "$dir")
# json+="\"$folder_name\": [ \"packages/$folder_name\" ],"
# done
# json="${json%,}}}"
# echo -e "$json" > dynamic-projects.json
# cat dynamic-projects.json
- name: Spot changes to projects
id: changes
uses: advanced-security/monorepo-code-scanning-action/changes@main
with:
projects-json: monorepo-projects.json
scan:
if: needs.changes.outputs.scan-required == 'true'
runs-on: ubuntu-latest
permissions:
contents: read
actions: read
security-events: write
needs: changes
strategy:
matrix:
project: ${{ fromJson(needs.changes.outputs.projects).projects }}
steps:
- name: Analyze code
uses: advanced-security/monorepo-code-scanning-action/scan@main
# If you have a custom analysis workflow defined at .github/workflows/custom-codeql-analysis.yml, then set this to 'true' so that it is run.
# custom-analysis: true
# You must use the 'republish' step to republish the results of missing analyses from the target branch to the PR, to pass required checks.
# It will also copy these results to the target branch on merge, so that the full results are available in the target branch.
republish:
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
actions: read
needs: changes
steps:
- name: Republish results
uses: advanced-security/monorepo-code-scanning-action/republish-sarif@main
with:
projects: ${{ needs.changes.outputs.projects }}