-
Notifications
You must be signed in to change notification settings - Fork 2.1k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Moving CodeQL into builds, and making the CodeQL job a re-usable flow (…
- Loading branch information
1 parent
feff412
commit 3705254
Showing
2 changed files
with
114 additions
and
125 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -19,7 +19,12 @@ on: | |
pull_request: | ||
merge_group: | ||
workflow_dispatch: | ||
|
||
workflow_call: | ||
inputs: | ||
run-codeql: | ||
required: false | ||
type: boolean | ||
|
||
concurrency: | ||
group: ${{ github.ref }}-${{ github.workflow }}-${{ (github.event_name == 'pull_request' && github.event.number) || (github.event_name == 'workflow_dispatch' && github.run_number) || github.sha }} | ||
cancel-in-progress: true | ||
|
@@ -94,6 +99,11 @@ jobs: | |
.environment/gn_out/.ninja_log | ||
.environment/pigweed-venv/*.log | ||
- name: Initialize CodeQL | ||
if: ${{ inputs.run-codeql }} | ||
uses: github/codeql-action/init@v2 | ||
with: | ||
languages: "cpp" | ||
- name: Setup Build | ||
run: scripts/build/gn_gen.sh --args="chip_config_memory_debug_checks=true chip_config_memory_debug_dmalloc=false" | ||
- name: Run Build | ||
|
@@ -133,6 +143,36 @@ jobs: | |
path: /tmp/cores/ | ||
# Cores are big; don't hold on to them too long. | ||
retention-days: 5 | ||
- name: Perform CodeQL Analysis | ||
if: ${{ inputs.run-codeql }} | ||
uses: github/codeql-action/analyze@v2 | ||
with: | ||
category: "/language:cpp" | ||
upload: False | ||
output: sarif-results | ||
- name: filter-sarif | ||
if: ${{ inputs.run-codeql }} | ||
uses: advanced-security/filter-sarif@v1 | ||
with: | ||
patterns: | | ||
-**/third_party/** | ||
-**/scripts/** | ||
input: "sarif-results/cpp.sarif" | ||
output: "sarif-results/cpp.sarif" | ||
|
||
- name: Upload SARIF | ||
if: ${{ inputs.run-codeql }} | ||
uses: github/codeql-action/upload-sarif@v2 | ||
with: | ||
sarif_file: "sarif-results/cpp.sarif" | ||
|
||
- name: Upload loc as a Build Artifact | ||
if: ${{ inputs.run-codeql }} | ||
uses: actions/[email protected] | ||
with: | ||
name: sarif-results | ||
path: sarif-results | ||
retention-days: 1 | ||
# OBJDIR on linux is > 10K files and takes more than 50 minutes to upload, usually | ||
# having the job timeout. | ||
# | ||
|
@@ -178,11 +218,6 @@ jobs: | |
token: ${{ github.token }} | ||
attempt_limit: 3 | ||
attempt_delay: 2000 | ||
# - name: Initialize CodeQL | ||
# if: ${{ github.event_name == 'push' && github.event.ref == 'refs/heads/master' }} | ||
# uses: github/codeql-action/init@v1 | ||
# with: | ||
# languages: "cpp" | ||
- name: Checkout submodules | ||
run: scripts/checkout_submodules.py --allow-changing-global-git-config --shallow --platform linux | ||
- name: Try to ensure the directories for core dumping exist and we | ||
|
@@ -215,7 +250,11 @@ jobs: | |
path: | | ||
.environment/gn_out/.ninja_log | ||
.environment/pigweed-venv/*.log | ||
- name: Initialize CodeQL | ||
if: ${{ inputs.run-codeql }} | ||
uses: github/codeql-action/init@v2 | ||
with: | ||
languages: "cpp" | ||
- name: Setup and Build Simulated Device | ||
timeout-minutes: 20 | ||
run: | | ||
|
@@ -302,6 +341,36 @@ jobs: | |
run: | | ||
./scripts/run_in_build_env.sh \ | ||
"./scripts/build/build_examples.py --target linux-fake-tests build" | ||
- name: Perform CodeQL Analysis | ||
if: ${{ inputs.run-codeql }} | ||
uses: github/codeql-action/analyze@v2 | ||
with: | ||
category: "/language:cpp" | ||
upload: False | ||
output: sarif-results | ||
- name: filter-sarif | ||
if: ${{ inputs.run-codeql }} | ||
uses: advanced-security/filter-sarif@v1 | ||
with: | ||
patterns: | | ||
-**/third_party/** | ||
-**/scripts/** | ||
input: "sarif-results/cpp.sarif" | ||
output: "sarif-results/cpp.sarif" | ||
|
||
- name: Upload SARIF | ||
if: ${{ inputs.run-codeql }} | ||
uses: github/codeql-action/upload-sarif@v2 | ||
with: | ||
sarif_file: "sarif-results/cpp.sarif" | ||
|
||
- name: Upload loc as a Build Artifact | ||
if: ${{ inputs.run-codeql }} | ||
uses: actions/[email protected] | ||
with: | ||
name: sarif-results | ||
path: sarif-results | ||
retention-days: 1 | ||
- name: Uploading core files | ||
uses: actions/upload-artifact@v3 | ||
if: ${{ failure() && !env.ACT }} | ||
|
@@ -411,11 +480,6 @@ jobs: | |
token: ${{ github.token }} | ||
attempt_limit: 3 | ||
attempt_delay: 2000 | ||
#- name: Initialize CodeQL | ||
# if: ${{ github.event_name == 'push' && github.event.ref == 'refs/heads/master' }} | ||
# uses: github/codeql-action/init@v1 | ||
# with: | ||
# languages: "cpp" | ||
- name: Checkout submodules | ||
run: scripts/checkout_submodules.py --allow-changing-global-git-config --shallow --platform darwin | ||
- name: Try to ensure the directory for diagnostic log collection exists | ||
|
@@ -447,6 +511,11 @@ jobs: | |
.environment/gn_out/.ninja_log | ||
.environment/pigweed-venv/*.log | ||
- name: Initialize CodeQL | ||
if: ${{ inputs.run-codeql }} | ||
uses: github/codeql-action/init@v2 | ||
with: | ||
languages: "cpp" | ||
- name: Setup and Build Simulated Device | ||
timeout-minutes: 20 | ||
run: | | ||
|
@@ -495,9 +564,36 @@ jobs: | |
with: | ||
name: crash-log-darwin | ||
path: ~/Library/Logs/DiagnosticReports/ | ||
# - name: Perform CodeQL Analysis | ||
# if: ${{ github.event_name == 'push' && github.event.ref == 'refs/heads/master' }} | ||
# uses: github/codeql-action/analyze@v1 | ||
- name: Perform CodeQL Analysis | ||
if: ${{ inputs.run-codeql }} | ||
uses: github/codeql-action/analyze@v2 | ||
with: | ||
category: "/language:cpp" | ||
upload: False | ||
output: sarif-results | ||
- name: filter-sarif | ||
if: ${{ inputs.run-codeql }} | ||
uses: advanced-security/filter-sarif@v1 | ||
with: | ||
patterns: | | ||
-**/third_party/** | ||
-**/scripts/** | ||
input: "sarif-results/cpp.sarif" | ||
output: "sarif-results/cpp.sarif" | ||
|
||
- name: Upload SARIF | ||
if: ${{ inputs.run-codeql }} | ||
uses: github/codeql-action/upload-sarif@v2 | ||
with: | ||
sarif_file: "sarif-results/cpp.sarif" | ||
|
||
- name: Upload loc as a Build Artifact | ||
if: ${{ inputs.run-codeql }} | ||
uses: actions/[email protected] | ||
with: | ||
name: sarif-results | ||
path: sarif-results | ||
retention-days: 1 | ||
# TODO Log Upload https://github.com/project-chip/connectedhomeip/issues/2227 | ||
# TODO https://github.com/project-chip/connectedhomeip/issues/1512 | ||
|
||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -25,116 +25,9 @@ concurrency: | |
group: ${{ github.ref }}-${{ github.workflow }}-${{ (github.event_name == 'pull_request' && github.event.number) || (github.event_name == 'workflow_dispatch' && github.run_number) || github.sha }} | ||
cancel-in-progress: true | ||
|
||
env: | ||
CHIP_NO_LOG_TIMESTAMPS: true | ||
# XXX: Workaround for https://github.com/actions/cache/issues/1141 | ||
SEGMENT_DOWNLOAD_TIMEOUT_MINS: 3 | ||
|
||
jobs: | ||
analyze: | ||
name: CodeQL Analysis | ||
runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} | ||
timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }} | ||
permissions: | ||
actions: read | ||
contents: read | ||
security-events: write | ||
|
||
container: | ||
image: connectedhomeip/chip-build:0.7.3 | ||
volumes: | ||
- "/tmp/log_output:/tmp/test_logs" | ||
options: --privileged --sysctl "net.ipv6.conf.all.disable_ipv6=0 | ||
net.ipv4.conf.all.forwarding=1 net.ipv6.conf.all.forwarding=1" | ||
|
||
strategy: | ||
fail-fast: false | ||
matrix: | ||
language: [ 'cpp' ] | ||
# language: [ 'cpp', 'java', 'javascript', 'python' ] | ||
# CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby', 'swift' ] | ||
# Use only 'java' to analyze code written in Java, Kotlin or both | ||
# Use only 'javascript' to analyze code written in JavaScript, TypeScript or both | ||
# Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support | ||
|
||
|
||
steps: | ||
- name: Dump GitHub context | ||
env: | ||
GITHUB_CONTEXT: ${{ toJSON(github) }} | ||
run: echo "$GITHUB_CONTEXT" | ||
- name: Dump Concurrency context | ||
env: | ||
CONCURRENCY_CONTEXT: ${{ github.ref }}-${{ github.workflow }}-${{ (github.event_name == 'pull_request' && github.event.number) || (github.event_name == 'workflow_dispatch' && github.run_number) || github.sha }} | ||
run: echo "$CONCURRENCY_CONTEXT" | ||
- uses: Wandalen/[email protected] | ||
name: Checkout | ||
with: | ||
action: actions/[email protected] | ||
with: | | ||
token: ${{ github.token }} | ||
attempt_limit: 3 | ||
attempt_delay: 2000 | ||
- name: Checkout submodules | ||
run: scripts/checkout_submodules.py --allow-changing-global-git-config --shallow --platform linux | ||
- name: Try to ensure the directories for core dumping exist and we | ||
can write them. | ||
run: | | ||
mkdir /tmp/cores || true | ||
sysctl -w kernel.core_pattern=/tmp/cores/core.%u.%p.%t || true | ||
- uses: Wandalen/[email protected] | ||
name: Bootstrap cache | ||
continue-on-error: true | ||
timeout-minutes: 10 | ||
with: | ||
action: buildjet/cache@v3 | ||
attempt_limit: 3 | ||
attempt_delay: 2000 | ||
with: | | ||
key: ${{ runner.os }}-env-${{ hashFiles('scripts/setup/*', 'third_party/pigweed/**') }} | ||
path: | | ||
.environment | ||
build_overrides/pigweed_environment.gni | ||
- name: Bootstrap | ||
run: bash scripts/bootstrap.sh | ||
|
||
- name: Initialize CodeQL | ||
uses: github/codeql-action/init@v2 | ||
with: | ||
languages: ${{ matrix.language }} | ||
|
||
- name: Setup Build | ||
run: scripts/build/gn_gen.sh --args="chip_config_memory_debug_checks=true chip_config_memory_debug_dmalloc=false" | ||
- name: Run Build | ||
run: scripts/run_in_build_env.sh "ninja -C ./out" | ||
- name: Run Tests | ||
run: scripts/tests/gn_tests.sh | ||
- name: Perform CodeQL Analysis | ||
uses: github/codeql-action/analyze@v2 | ||
with: | ||
category: "/language:${{matrix.language}}" | ||
upload: False | ||
output: sarif-results | ||
|
||
- name: filter-sarif | ||
uses: advanced-security/filter-sarif@v1 | ||
with: | ||
patterns: | | ||
-**/app/tests/** | ||
-**/third_party/** | ||
-**/scripts/** | ||
input: "sarif-results/${{matrix.language}}.sarif" | ||
output: "sarif-results/${{matrix.language}}.sarif" | ||
|
||
- name: Upload SARIF | ||
uses: github/codeql-action/upload-sarif@v2 | ||
with: | ||
sarif_file: "sarif-results/${{matrix.language}}.sarif" | ||
uses: project-chip/connectedhomeip/.github/workflows/build.yml@main | ||
with: | ||
run-codeql: true | ||
|
||
- name: Upload loc as a Build Artifact | ||
uses: actions/[email protected] | ||
with: | ||
name: sarif-results | ||
path: sarif-results | ||
retention-days: 1 |