-
Notifications
You must be signed in to change notification settings - Fork 327
/
action.yml
151 lines (138 loc) · 7.11 KB
/
action.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
name: 'CodeQL: Init'
description: 'Set up CodeQL'
author: 'GitHub'
inputs:
tools:
description: >-
By default, the Action will use the recommended version of the CodeQL
Bundle to analyze your project. You can override this choice using this
input. One of:
- A local path to a CodeQL Bundle tarball, or
- The URL of a CodeQL Bundle tarball GitHub release asset, or
- A special value `linked` which uses the version of the CodeQL tools
that the Action has been bundled with.
If not specified, the Action will check in several places until it finds
the CodeQL tools.
required: false
languages:
description: >-
A comma-separated list of CodeQL languages to analyze.
Due to the performance benefit of parallelizing builds, we recommend specifying languages to
analyze using a matrix and providing `\$\{{ matrix.language }}` as this input.
For more information, see
https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#changing-the-languages-that-are-analyzed.
required: false
build-mode:
description: >-
The build mode that will be used to analyze the language. This input is only available when
analyzing a single CodeQL language per job, for example using a matrix.
Available build modes will differ based on the language being analyzed. One of:
- `none`: The database will be created without building the source code.
Available for all interpreted languages and some compiled languages.
- `autobuild`: The database will be created by attempting to automatically build the source
code. Available for all compiled languages.
- `manual`: The database will be created by building the source code using a manually
specified build command. To use this build mode, specify manual build steps in
your workflow between the `init` and `analyze` steps. Available for all
compiled languages.
required: false
token:
description: GitHub token to use for authenticating with this instance of GitHub. To download custom packs from multiple registries, use the registries input.
default: ${{ github.token }}
required: false
registries:
description: |
Use this input only when you need to download CodeQL packages from another instance of GitHub. If you only need to download packages from this GitHub instance, use the token input instead.
A YAML string that defines the list of GitHub container registries to use for downloading packs. The string is in the following form (the | is required on the first line):
registries: |
- url: https://containers.GHEHOSTNAME1/v2/
packages:
- my-company/*
- my-company2/*
token: \$\{{ secrets.GHEHOSTNAME1_TOKEN }}
- url: https://ghcr.io/v2/
packages: */*
token: \$\{{ secrets.GHCR_TOKEN }}
The `url` property contains the URL to the container registry you want to connect to.
The `packages` property contains a single glob string or a list of glob strings, specifying which packages should be retrieved from this particular container registry. Order is important. Earlier entries will match before later entries.
The `token` property contains a connection token for this registry. required: false
matrix:
default: ${{ toJson(matrix) }}
required: false
config-file:
description: Path of the config file to use
required: false
db-location:
description: Path where CodeQL databases should be created. If not specified, a temporary directory will be used.
required: false
config:
description: Configuration passed as a YAML string in the same format as the config-file input. This takes precedence over the config-file input.
required: false
queries:
description: Comma-separated list of additional queries to run. By default, this overrides the same setting in a configuration file; prefix with "+" to use both sets of queries.
required: false
packs:
description: >-
Comma-separated list of packs to run. Reference a pack in the format `scope/name[@version]`. If `version` is not
specified, then the latest version of the pack is used. By default, this overrides the same setting in a
configuration file; prefix with "+" to use both sets of packs.
This input is only available in single-language analyses. To use packs in multi-language
analyses, you must specify packs in the codeql-config.yml file.
required: false
external-repository-token:
description: A token for fetching external config files and queries if they reside in a private repository in the same GitHub instance that is running this action.
required: false
setup-python-dependencies:
description: DEPRECATED. This option is ignored since CodeQL Action no longer installs Python dependencies as of versions 3.25.0 and 2.25.0.
required: false
source-root:
description: Path of the root source code directory, relative to $GITHUB_WORKSPACE.
required: false
ram:
description: >-
The amount of memory in MB that can be used by CodeQL extractors.
By default, CodeQL extractors will use most of the memory available in the system
(which for GitHub-hosted runners is 6GB for Linux, 5.5GB for Windows, and 13GB for macOS).
This input also sets the amount of memory that can later be used by the "analyze" action.
required: false
threads:
description: >-
The number of threads that can be used by CodeQL extractors.
By default, CodeQL extractors will use all the hardware threads available in the system
(which for GitHub-hosted runners is 2 for Linux and Windows and 3 for macOS).
This input also sets the number of threads that can later be used by the "analyze" action.
required: false
debug:
description: >-
Enable debugging mode.
This will result in more output being produced which may be useful when debugging certain issues.
Debugging mode is enabled automatically when step debug logging is turned on.
required: false
default: 'false'
debug-artifact-name:
description: >-
The name of the artifact to store debugging information in.
This is only used when debug mode is enabled.
required: false
debug-database-name:
description: >-
The name of the database uploaded to the debugging artifact.
This is only used when debug mode is enabled.
required: false
trap-caching:
description: >-
Explicitly enable or disable TRAP caching rather than respecting the feature flag for it.
required: false
dependency-caching:
description: >-
Explicitly enable or disable caching of project build dependencies.
required: false
outputs:
codeql-path:
description: The path of the CodeQL binary used for analysis
codeql-version:
description: The version of the CodeQL binary used for analysis
runs:
using: node20
main: '../lib/init-action.js'
post: '../lib/init-action-post.js'