From 6def7b4ee85f7fd66366557e4460e9e15c718bce Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=9E=81=E9=80=9F=E8=9C=97=E7=89=9B?= <31986081+Jisu-Woniu@users.noreply.github.com> Date: Mon, 11 Aug 2025 21:26:55 +0800 Subject: [PATCH] =?UTF-8?q?ci(actions):=20=F0=9F=91=B7=20add=20CodeQL=20fo?= =?UTF-8?q?r=20Rust=20code?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .github/workflows/building.yml | 6 +-- .github/workflows/codeql.yml | 68 ++++++++++++++++++++++++++++++++++ 2 files changed, 71 insertions(+), 3 deletions(-) create mode 100644 .github/workflows/codeql.yml diff --git a/.github/workflows/building.yml b/.github/workflows/building.yml index 98cdb43..363105c 100644 --- a/.github/workflows/building.yml +++ b/.github/workflows/building.yml @@ -38,7 +38,7 @@ jobs: - name: Optimize APT run: | sudo apt-mark hold firefox - echo 'set man-db/auto-update false' | sudo debconf-communicate > /dev/null + echo 'set man-db/auto-update false' | sudo debconf-communicate >/dev/null sudo dpkg-reconfigure man-db - name: Install dependencies run: | @@ -91,7 +91,7 @@ jobs: - name: Optimize APT run: | sudo apt-mark hold firefox - echo 'set man-db/auto-update false' | sudo debconf-communicate > /dev/null + echo 'set man-db/auto-update false' | sudo debconf-communicate >/dev/null sudo dpkg-reconfigure man-db - name: Install dependencies run: | @@ -135,7 +135,7 @@ jobs: - name: Optimize APT run: | sudo apt-mark hold firefox - echo 'set man-db/auto-update false' | sudo debconf-communicate > /dev/null + echo 'set man-db/auto-update false' | sudo debconf-communicate >/dev/null sudo dpkg-reconfigure man-db - name: Install dependencies run: | diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 0000000..e525081 --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,68 @@ +name: "CodeQL Advanced" + +on: + push: + branches: ["main"] + pull_request: + branches: ["main"] + merge_group: + +jobs: + analyze: + name: Analyze (${{ matrix.language }}) + runs-on: "ubuntu-latest" + permissions: + security-events: write + strategy: + fail-fast: false + matrix: + include: + - language: actions + build-mode: none + - language: rust + build-mode: autobuild + steps: + - name: Checkout repository + uses: actions/checkout@v4 + - name: Optimize APT + run: | + sudo apt-mark hold firefox + echo 'set man-db/auto-update false' | sudo debconf-communicate >/dev/null + sudo dpkg-reconfigure man-db + - name: Install dependencies + run: | + sudo apt-get update + sudo apt-get upgrade -y + sudo apt-get install -y wget clang + - name: Setup Rust toolchain + uses: moonrepo/setup-rust@v1 + with: + channel: stable + bins: cargo-hack, cargo-deny, clippy-sarif, sarif-fmt, cargo-nextest + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - name: Setup mold + uses: rui314/setup-mold@v1 + - name: Setup buf + uses: bufbuild/buf-setup-action@v1 + with: + github_token: ${{ secrets.GITHUB_TOKEN }} + - name: Setup protoc + uses: Noelware/setup-protoc@1.2.0 + with: + repo-token: ${{ secrets.GITHUB_TOKEN }} + - name: Setup sccache + uses: mozilla-actions/sccache-action@v0.0.9 + - name: Enable sccache + run: | + echo "SCCACHE_GHA_ENABLED=true" >> "$GITHUB_ENV" + echo "RUSTC_WRAPPER=sccache" >> "$GITHUB_ENV" + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: ${{ matrix.language }} + build-mode: ${{ matrix.build-mode }} + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v3 + with: + category: "/language:${{matrix.language}}"