python_cpp_example/.github/workflows/codeql-analysis.yml at master · cmboling/python_cpp_example · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
# For most projects, this workflow file will not need changing; you simply need
# to commit it to your repository.
#
# You may wish to alter this file to override the set of languages analyzed,
# or to provide custom queries or build logic.
#
# ******** NOTE ********
# We have attempted to detect the languages in your repository. Please check
# the `language` matrix defined below to confirm you have the correct set of
# supported CodeQL languages.
#
name: "CodeQL"

on:
  push:
    branches: [ master ]
  pull_request:
    # The branches below must be a subset of the branches above
    branches: [ master ]
  schedule:
    - cron: '24 6 * * 5'
  workflow_dispatch:

jobs:
  analyze:
    name: Analyze
    runs-on: ubuntu-latest

    strategy:
      fail-fast: false
      matrix:
        language: [ 'cpp' ]
        # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python' ]
        # Learn more:
        # https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#changing-the-languages-that-are-analyzed

    steps:
    - name: Checkout repository
      uses: actions/checkout@v2
      with:
          submodules: recursive

    # setup dev environment here if necessary
    - name: Environment variables
      env:
        GITHUB_TOKEN: ${{ github.token }}
        GITHUB_REF: ${{ github.ref }}
        GITHUB_SHA: ${{ github.sha }}
        GITHUB_REPO: ${{ github.repository }}
        GITHUB_WORKSPACE: ${{ github.workspace }}
      run: |
        echo $GITHUB_TOKEN
        echo $GITHUB_REF
        echo $GITHUB_SHA
        echo $GITHUB_REPO
        echo $GITHUB_WORKSPACE
    - name: Setup CodeQL Runner
      run: |
        pwd
        wget -q https://github.com/github/codeql-action/releases/download/codeql-bundle-20201106/codeql-runner-linux
        sudo install -o root -g root -m 0755 codeql-runner-linux /usr/local/bin/
        ls -l
        echo ${{ github.workspace }}

    - name: Execute CodeQL Runner
      run: |

        latest_SHA_on_ref=$(git rev-parse HEAD)
        default_branch=$(git symbolic-ref HEAD)

        sudo codeql-runner-linux init \
          --checkout-path ${{ github.workspace }} \
          --github-url https://github.com \
          --repository ${{ github.repository }} \
          --github-auth ${{ github.token }} \
          --languages ${{ matrix.language }} \
          --source-root=${{ github.workspace }} \

        source /home/runner/work/python_cpp_example/python_cpp_example/codeql-runner/codeql-env.sh

        sudo python3 ./setup.py install

        sudo codeql-runner-linux analyze \
          --checkout-path ${{ github.workspace }} \
          --github-url https://github.com \
          --repository ${{ github.repository }} \
          --github-auth ${{ github.token }} \
          --commit $latest_SHA_on_ref \
          --ref $default_branch

    - name: Upload extractor specific logs
      if: ${{ always() }}
      uses: actions/upload-artifact@v2
      with:
        name: extractor-logs-${{ matrix.language }}-db
        path: ${{ github.workspace }}/codeql-runner/codeql_databases/cpp/log