forked from JoeyMckenzie/Dappery
-
Notifications
You must be signed in to change notification settings - Fork 1
137 lines (115 loc) · 5.05 KB
/
codeql-analysis.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
# https://docs.microsoft.com/en-us/dotnet/devops/dotnet-secure-github-action
name: "CodeQL Analysis"
on:
push:
branches: [master]
pull_request:
# The branches below must be a subset of the branches above
branches: [master]
workflow_dispatch:
# https://www.meziantou.net/how-to-cancel-github-workflows-when-pushing-new-commits-on-a-branch.htm
concurrency:
# github.event.pull_request.number || github.ref: pull request number or branch name if not a pull request
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true
permissions:
contents: write
jobs:
analyze:
name: Analyze (${{ matrix.language }})
runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }}
timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }}
permissions:
# required for all workflows
security-events: write
# required to fetch internal or private CodeQL packs
packages: read
# only required for workflows in private repositories
actions: read
contents: read
strategy:
fail-fast: false
matrix:
include:
- language: csharp
build-mode: manual
# To learn more about changing the languages that are analyzed or customizing the build mode for your analysis,
# see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning.
# If you are analyzing a compiled language, you can modify the 'build-mode' for that language to customize how
# your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages
env:
NUGET_PACKAGES: ${{ github.workspace }}/.nuget/packages
DOTNET_NOLOGO: true
DOTNET_CLI_TELEMETRY_OPTOUT: true
steps:
- name: Checkout repository
id: checkout_repo
uses: actions/[email protected]
with:
fetch-depth: 2
- name: "Check for changed files"
uses: dorny/paths-filter@v3
id: filter
with:
filters: .github/filter.yml
- name: Set environment variable
id: set-env
run: |
if [ "${{ steps.filter.outputs.code }}" == "true" ] || [ "${{ steps.filter.outputs.codeql }}" == "true" ]; then
echo "ENABLED=1" >> $GITHUB_ENV
else
echo "ENABLED=0" >> $GITHUB_ENV
fi
# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
id: init_codeql
if: env.ENABLED == '1'
uses: github/codeql-action/[email protected]
with:
languages: ${{ matrix.language }}
build-mode: ${{ matrix.build-mode }}
dependency-caching: true
# If you wish to specify custom queries, you can do so here or in a config file.
# By default, queries listed here will override any specified in a config file.
# Prefix the list here with "+" to use these queries and those in the config file.
# If the analyze step fails for one of the languages you are analyzing with
# "We were unable to automatically build your code", modify the matrix above
# to set the build mode to "manual" for that language. Then modify this step
# to build your code.
# 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
- if: matrix.build-mode == 'manual' && env.ENABLED == '1'
name: Set up .NET
uses: actions/[email protected]
with:
global-json-file: global.json
cache: true
cache-dependency-path: '**/packages.lock.json'
- if: matrix.build-mode == 'manual' && env.ENABLED == '1'
name: Install dependencies
run: |
if [[ "${{ github.event.pull_request.user.login }}" == 'dependabot[bot]' ]] || [[ "${{ github.actor }}" == 'dependabot[bot]' ]]; then
dotnet restore --force-evaluate && git add .
else
dotnet restore --locked-mode
fi
- id: commit
if: matrix.build-mode == 'manual' && env.ENABLED == '1'
uses: qoomon/actions--create-commit@v1
with:
message: "Committing changes to lock files [skip ci]"
allow-empty: false
skip-empty: true
- if: matrix.build-mode == 'manual' && env.ENABLED == '1' && steps.commit.outputs.commit != null
run: git push origin ${{ github.head_ref || github.ref_name }}
- name: Install dependencies
if: env.ENABLED == '1' && steps.pr-check.outputs.pr_found == 'false'
run: |
dotnet restore --locked-mode
- if: matrix.build-mode == 'manual' && env.ENABLED == '1'
name: Build
run: dotnet build --configuration Release --no-restore --tl
- name: Perform CodeQL Analysis
if: env.ENABLED == '1'
uses: github/codeql-action/[email protected]
with:
category: "/language:${{matrix.language}}"