-
Notifications
You must be signed in to change notification settings - Fork 98
132 lines (121 loc) · 4.1 KB
/
codeql.yaml
File metadata and controls
132 lines (121 loc) · 4.1 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
name: CodeQL Analysis
on:
push:
branches: [main]
pull_request:
branches: [main]
schedule:
# weekly scan — Sundays at 4am UTC
- cron: '0 4 * * 0'
concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.ref }}
cancel-in-progress: ${{ github.event_name == 'pull_request' }}
permissions:
contents: read
security-events: write
jobs:
check-changes:
name: Check changed languages
runs-on: ubuntu-latest
outputs:
js-changed: ${{ steps.check.outputs.js-changed }}
actions-changed: ${{ steps.check.outputs.actions-changed }}
swift-changed: ${{ steps.check.outputs.swift-changed }}
rust-changed: ${{ steps.check.outputs.rust-changed }}
steps:
- id: check
env:
GH_TOKEN: ${{ github.token }}
run: |
# On schedule, scan everything
if [[ "${{ github.event_name }}" == "schedule" ]]; then
for lang in js actions swift rust; do
echo "${lang}-changed=true" >> $GITHUB_OUTPUT
done
exit 0
fi
# Get changed files via API (no checkout needed)
if [[ "${{ github.event_name }}" == "pull_request" ]]; then
FILES=$(gh api repos/${{ github.repository }}/pulls/${{ github.event.pull_request.number }}/files --paginate --jq '.[].filename')
else
FILES=$(gh api repos/${{ github.repository }}/commits/${{ github.sha }} --jq '.files[].filename')
fi
check_pattern() {
if echo "$FILES" | grep -qE "$1"; then
echo "true"
else
echo "false"
fi
}
echo "js-changed=$(check_pattern '\.(js|ts|jsx|tsx|mjs|cjs)$')" >> $GITHUB_OUTPUT
echo "actions-changed=$(check_pattern '^\.github/')" >> $GITHUB_OUTPUT
echo "swift-changed=$(check_pattern '^packages/encryption-binary-swift/')" >> $GITHUB_OUTPUT
echo "rust-changed=$(check_pattern '^packages/encryption-binary-rust/')" >> $GITHUB_OUTPUT
analyze-js:
name: Analyze JavaScript/TypeScript
needs: check-changes
if: needs.check-changes.outputs.js-changed == 'true'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- name: Initialize CodeQL
uses: github/codeql-action/init@v4
with:
languages: javascript-typescript
config-file: ./.github/codeql/codeql-config.yml
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v4
with:
category: javascript-typescript
analyze-actions:
name: Analyze Actions
needs: check-changes
if: needs.check-changes.outputs.actions-changed == 'true'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- name: Initialize CodeQL
uses: github/codeql-action/init@v4
with:
languages: actions
config-file: ./.github/codeql/codeql-config.yml
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v4
with:
category: actions
analyze-swift:
name: Analyze Swift
needs: check-changes
if: needs.check-changes.outputs.swift-changed == 'true'
runs-on: macos-latest
steps:
- uses: actions/checkout@v6
- name: Initialize CodeQL
uses: github/codeql-action/init@v4
with:
languages: swift
config-file: ./.github/codeql/codeql-config.yml
- name: Build Swift binary
run: |
cd packages/encryption-binary-swift/swift
swift build
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v4
with:
category: swift
analyze-rust:
name: Analyze Rust
needs: check-changes
if: needs.check-changes.outputs.rust-changed == 'true'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- name: Initialize CodeQL
uses: github/codeql-action/init@v4
with:
languages: rust
config-file: ./.github/codeql/codeql-config.yml
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v4
with:
category: rust