Skip to content
Build

Add More (noisy) CodeQL Checks #614

Sign in to view logs

Add More (noisy) CodeQL Checks

Add More (noisy) CodeQL Checks #614

Workflow file for this run

.github/workflows/build.yml at 36502b0
name: Build
on:
push:
branches: main
pull_request:
branches: main
concurrency:
# Cancel any workflow currently in progress for the same PR.
# Allow running concurrently with any other commits.
group: build-${{ github.event.pull_request.number || github.sha }}
cancel-in-progress: true
permissions: read-all
jobs:
build:
name: Build
permissions:
# required for all workflows
security-events: write
# required to fetch internal or private CodeQL packs
packages: read
# only required for workflows in private repositories
actions: read
contents: read
strategy:
fail-fast: false
matrix:
os: [ubuntu, windows]
tls: [schannel, openssl, openssl3]
link: [static, shared]
config: [Debug, Release]
exclude:
- os: ubuntu
tls: schannel
runs-on: ${{ matrix.os }}-latest
timeout-minutes: 15
steps:
- name: Harden Runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f
with:
egress-policy: audit
- name: Checkout repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
submodules: 'recursive'
- name: Install Perl
if: runner.os == 'Windows'
uses: shogo82148/actions-setup-perl@98dfedee230bcf1ee68d5b021931fc8d63f2016e
with:
perl-version: '5.34'
- name: Install NASM
if: runner.os == 'Windows'
uses: ilammy/setup-nasm@13cbeb366c45c4379d3478cdcbadd8295feb5028
- name: Install libnuma-dev
if: runner.os == 'Ubuntu'
run: sudo apt-get install -y libnuma-dev
- name: Initialize CodeQL
if: ${{ (matrix.os == 'ubuntu') && (matrix.tls == 'openssl') && (matrix.link == 'shared') && (matrix.config == 'Release') }}
uses: github/codeql-action/init@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169
with:
languages: c-cpp
build-mode: manual
config: |
queries:
- uses: security-and-quality # (very verbose)
- name: Build
shell: pwsh
run: ./.github/workflows/build.ps1 -Config ${{ matrix.config }} -Tls ${{ matrix.tls }} -Link ${{ matrix.link }} -BuildId ${{ github.run_number }} -Suffix "-official" -WithTests -WithTools -Debug
- name: Perform CodeQL Analysis
if: ${{ (matrix.os == 'ubuntu') && (matrix.tls == 'openssl') && (matrix.link == 'shared') && (matrix.config == 'Release') }}
uses: github/codeql-action/analyze@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169
with:
category: "/language:c-cpp"
output: sarif-results
upload: failure-only
- name: Filter SARIF
if: ${{ (matrix.os == 'ubuntu') && (matrix.tls == 'openssl') && (matrix.link == 'shared') && (matrix.config == 'Release') }}
uses: advanced-security/filter-sarif@f3b8118a9349d88f7b1c0c488476411145b6270d
with:
patterns: -msquic/submodules/**/*
input: sarif-results/cpp.sarif
output: sarif-results/cpp.sarif
- name: Upload SARIF
if: ${{ (matrix.os == 'ubuntu') && (matrix.tls == 'openssl') && (matrix.link == 'shared') && (matrix.config == 'Release') }}
uses: github/codeql-action/upload-sarif@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169
with:
sarif_file: sarif-results/cpp.sarif
- name: Upload SARIF to Artifacts
if: ${{ (matrix.os == 'ubuntu') && (matrix.tls == 'openssl') && (matrix.link == 'shared') && (matrix.config == 'Release') }}
uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b
with:
name: sarif-results
path: sarif-results
- name: Upload
uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b
with:
name: bin-${{ matrix.os }}-${{ matrix.tls }}-${{ matrix.link }}-${{ matrix.config }}
path: |
artifacts/*.dll
artifacts/*.exe
artifacts/*.pdb
artifacts/*.so
artifacts/msh3app
artifacts/msh3test
- name: msh3app
run: |
./artifacts/msh3app outlook.office.com
./artifacts/msh3app www.cloudflare.com
./artifacts/msh3app www.google.com
timeout-minutes: 1
- name: msh3test
run: ./artifacts/msh3test
timeout-minutes: 1
dependabot-merge:
name: Merge Dependabot
runs-on: ubuntu-latest
needs: []
steps:
- uses: ahmadnassri/action-dependabot-auto-merge@45fc124d949b19b6b8bf6645b6c9d55f4f9ac61a
if: ${{ github.event_name == 'pull_request' }}
with:
target: minor
github-token: ${{ secrets.GITHUB_TOKEN }}
all-done:
name: Build Complete
runs-on: ubuntu-latest
needs: build
steps:
- name: No-op
shell: pwsh
run: Write-Host "All done!"