maintenance/improve test coverage #706
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json | |
| name: "CodeQL Analysis" | |
| on: | |
| push: | |
| branches: [ main, develop ] | |
| pull_request: | |
| branches: [ main, develop ] | |
| schedule: | |
| - cron: '0 3 * * 0' # weekly (UTC) — adjust as needed | |
| workflow_dispatch: | |
| permissions: | |
| actions: read | |
| contents: read | |
| security-events: write | |
| env: | |
| BUILD_TYPE: RelWithDebInfo | |
| CPP_COMPILER: g++ | |
| CODEQL_EXTRACTOR_CPP_COMPILATION_DATABASE: ${{ github.workspace }}/phlex-build/compile_commands.json | |
| jobs: | |
| codeql: | |
| name: Analyze ${{ matrix.language }} with CodeQL | |
| runs-on: ubuntu-24.04 | |
| container: | |
| image: ghcr.io/framework-r-d/phlex-ci:latest | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| language: ['cpp', 'python', 'actions'] | |
| timeout-minutes: 120 | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 | |
| with: | |
| path: phlex-src | |
| fetch-depth: 0 | |
| - name: Setup build environment | |
| uses: Framework-R-D/phlex/.github/actions/setup-build-env@main | |
| with: | |
| build-path: phlex-build | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/init@cdefb33c0f6224e58673d9004f47f7cb3e328b89 # v4.31.10 | |
| with: | |
| languages: ${{ matrix.language }} | |
| config-file: phlex-src/.github/codeql/codeql-config.yml | |
| source-root: phlex-src | |
| build-mode: none | |
| - name: Produce compile_commands.json (C++ only) | |
| if: matrix.language == 'cpp' | |
| uses: Framework-R-D/phlex/.github/actions/configure-cmake@main | |
| with: | |
| build-type: ${{ env.BUILD_TYPE }} | |
| - name: Verify compile_commands.json (C++ only) | |
| if: matrix.language == 'cpp' | |
| run: | | |
| set -euo pipefail | |
| if [ ! -f "$CODEQL_EXTRACTOR_CPP_COMPILATION_DATABASE" ]; then | |
| echo "Expected compile_commands.json at $CODEQL_EXTRACTOR_CPP_COMPILATION_DATABASE" >&2 | |
| exit 1 | |
| fi | |
| # Run CodeQL analysis (uploads results to code scanning) | |
| - name: Perform CodeQL Analysis | |
| uses: github/codeql-action/analyze@cdefb33c0f6224e58673d9004f47f7cb3e328b89 # v4.31.10 | |
| with: | |
| checkout_path: phlex-src | |
| output: results | |
| category: ${{ matrix.language }} | |
| - name: Upload SARIF results | |
| uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 | |
| with: | |
| name: codeql-sarif-${{ matrix.language }} | |
| path: results | |
| retention-days: 7 | |
| codeql-report: | |
| name: Aggregate CodeQL alerts | |
| needs: codeql | |
| runs-on: ubuntu-24.04 | |
| if: needs.codeql.result == 'success' | |
| permissions: | |
| contents: read | |
| issues: write | |
| pull-requests: write | |
| security-events: read | |
| env: | |
| CODEQL_MIN_LEVEL: warning | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| steps: | |
| - name: Set log file path | |
| id: set_log_path | |
| run: echo "path=$RUNNER_TEMP/codeql-alerts.log" >> "$GITHUB_OUTPUT" | |
| - name: Checkout repository | |
| uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 | |
| with: | |
| fetch-depth: 0 | |
| - name: Download CodeQL SARIF artifacts | |
| uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 | |
| with: | |
| pattern: codeql-sarif-* | |
| path: sarif | |
| merge-multiple: true | |
| - name: Check CodeQL SARIF for new or resolved alerts | |
| id: check_codeql | |
| run: | | |
| set -euo pipefail | |
| ARGS=( | |
| --sarif "$GITHUB_WORKSPACE/sarif" | |
| --min-level "${CODEQL_MIN_LEVEL}" | |
| --log-path "${{ steps.set_log_path.outputs.path }}" | |
| ) | |
| if [ "${{ github.event_name }}" = "pull_request" ]; then | |
| ARGS+=(--ref "refs/pull/${{ github.event.pull_request.number }}/merge") | |
| fi | |
| python3 scripts/check_codeql_alerts.py "${ARGS[@]}" | |
| - name: Upload CodeQL alerts debug log | |
| if: always() | |
| uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 | |
| with: | |
| name: codeql-alerts-debug-log | |
| path: ${{ steps.set_log_path.outputs.path }} | |
| retention-days: 3 | |
| - name: Prepare PR comment data | |
| if: >- | |
| github.event_name == 'pull_request' && | |
| steps.check_codeql.outputs.comment_path != '' | |
| run: | | |
| mkdir -p pr_comment_data | |
| echo "${{ github.event.pull_request.number }}" > pr_comment_data/pr_number.txt | |
| cp "${{ steps.check_codeql.outputs.comment_path }}" pr_comment_data/comment_body.md | |
| - name: Upload PR comment data | |
| if: >- | |
| github.event_name == 'pull_request' && | |
| steps.check_codeql.outputs.comment_path != '' | |
| uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 | |
| with: | |
| name: codeql-pr-data | |
| path: pr_comment_data/ | |
| retention-days: 1 | |
| - name: Fail workflow due to new CodeQL alerts | |
| # Fails the check on the PR so the user sees red X | |
| if: >- | |
| github.event_name == 'pull_request' && | |
| steps.check_codeql.outputs.new_alerts == 'true' | |
| run: | | |
| echo "New CodeQL alerts detected; failing job." | |
| exit 1 |