forked from microsoft/hcsshim
-
Notifications
You must be signed in to change notification settings - Fork 0
113 lines (100 loc) · 3.4 KB
/
codeql.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
# Since we have multiple build targets, and the makefile that CodeQL would use in its autobuild
# step doesn't build everything, we need to manually add run the Go (and C++) build commands
#
# See:
# https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning
# https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages
#
# Additionally, see example CodeQL pipeline (in CodeQL repo):
# https://github.com/github/codeql/blob/0342b3eba242476cea815e601942021092d0bc10/.github/workflows/codeql-analysis.yml
name: "Code Scanning - CodeQL"
on:
push:
branches: [main]
pull_request:
branches: [main]
paths-ignore:
- "**/*.md"
- "**/*.txt"
- "hack/**"
- "scripts/**"
- ".github/**"
- "!.github/workflows/codeql.yml"
schedule:
# run weekly, at midnight on Sunday
# minute, hour, day of month, month, day of week
- cron: "0 0 * * 0"
# TODO: consolidate this with ci.yml so they both use the same Go version
env:
GO_VERSION: "1.19.x"
jobs:
CodeQL-Build:
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
# we want a matrix across the two GOOS options, not the product of all options
# ! update `targets` field if more binaries are added
include:
- goos: windows
language: go
targets: >-
cmd/containerd-shim-runhcs-v1,
cmd/device-util,
cmd/dmverity-vhd,
cmd/jobobject-util,
cmd/ncproxy,
cmd/runhcs,
cmd/shimdiag,
cmd/tar2ext4,
cmd/wclayer,
internal/tools/extendedtask,
internal/tools/grantvmgroupaccess,
internal/tools/networkagent,
internal/tools/uvmboot,
internal/tools/zapdir,
- goos: linux
language: go, cpp
targets: >-
cmd/gcs,
cmd/gcstools,
cmd/hooks/wait-paths,
cmd/tar2ext4,
internal/tools/policyenginesimulator,
internal/tools/securitypolicy,
internal/tools/snp-report,
steps:
# setup runner before initializing & running CodeQL
- name: Checkout
uses: actions/checkout@v4
with:
show-progress: false
- name: Install go
uses: actions/setup-go@v5
with:
go-version: ${{ env.GO_VERSION }}
- name: CodeQL Initialize
uses: github/codeql-action/init@v2
with:
languages: ${{matrix.language}}
# build binaries
- name: Build go binaries
shell: pwsh
run: |
$targets = "${{ matrix.targets }}" -split ',' |
foreach { $_.Trim() } |
where { -not [string]::IsNullOrWhiteSpace($_) }
Write-Output "Targets: $targets"
foreach ( $t in $targets ) {
Write-Output "Build: $t"
go build "./$t" 2>&1
}
env:
GOOS: ${{ matrix.goos }}
- name: Build init and vsockexec
if: ${{ matrix.goos == 'linux' }}
run: make bin/vsockexec bin/init
- name: CodeQL Analyze
uses: github/codeql-action/analyze@v2
with:
category: "/language:${{matrix.language}}"