[SEC-6038] codeql workflow fix #347
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: "CodeQL Advanced" | |
| on: | |
| push: | |
| branches: [ "master" ] | |
| pull_request: | |
| branches: [ "master" ] | |
| schedule: | |
| - cron: '0 0 * * 1' # Runs every Monday at midnight, this is to ensure that there is at least 1 scan every 7 days. | |
| workflow_dispatch: | |
| inputs: | |
| pr_id: | |
| description: 'Pull Request ID' | |
| required: true | |
| type: string | |
| concurrency: | |
| group: codeql-${{ github.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| Analyze_Ruby_JSandTS: | |
| name: Analyze (${{ matrix.language }}) | |
| runs-on: gha-runner-no-perms | |
| permissions: | |
| # required for all workflows | |
| security-events: write | |
| # required to fetch internal or private CodeQL packs | |
| packages: read | |
| # only required for workflows in private repositories | |
| actions: read | |
| contents: read | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| - language: actions | |
| build-mode: none | |
| - language: javascript-typescript | |
| build-mode: none | |
| - language: ruby | |
| build-mode: none | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| # Initializes the CodeQL tools for scanning. | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/init@v4 | |
| with: | |
| languages: ${{ matrix.language }} | |
| build-mode: ${{ matrix.build-mode }} | |
| # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs | |
| queries: ${{ matrix.language && 'security-extended, security-and-quality' }} | |
| - if: matrix.build-mode == 'manual' | |
| shell: bash | |
| run: | | |
| echo 'If you are using a "manual" build mode for one or more of the' \ | |
| 'languages you are analyzing, replace this with the commands to build' \ | |
| 'your code, for example:' | |
| echo ' make bootstrap' | |
| echo ' make release' | |
| exit 1 | |
| - name: Perform CodeQL Analysis | |
| uses: github/codeql-action/analyze@v4 | |
| with: | |
| category: "/language:${{matrix.language}}" | |
| Build_Analyze_Android_Example: | |
| name: Analyze (${{ matrix.language }}) | |
| runs-on: ubuntu-latest | |
| env: | |
| TURBO_CACHE_DIR: .turbo/android | |
| permissions: | |
| # required for all workflows | |
| security-events: write | |
| # required to fetch internal or private CodeQL packs | |
| packages: read | |
| # only required for workflows in private repositories | |
| actions: read | |
| contents: read | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| - language: java-kotlin | |
| build-mode: manual | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| - name: Setup | |
| uses: ./.github/actions/setup | |
| - name: Setup Node.js | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: '20' | |
| - name: Install Dependencies | |
| run: | | |
| yarn install | |
| - name: Install JDK | |
| if: env.turbo_cache_hit != 1 | |
| uses: actions/setup-java@v4 | |
| with: | |
| distribution: 'zulu' | |
| java-version: '17' | |
| - name: Finalize Android SDK | |
| if: env.turbo_cache_hit !=1 | |
| run: | | |
| /bin/bash -c "yes | $ANDROID_HOME/cmdline-tools/latest/bin/sdkmanager --licenses > /dev/null" | |
| # Initializes the CodeQL tools for scanning. | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/init@v4 | |
| with: | |
| languages: ${{ matrix.language }} | |
| build-mode: ${{ matrix.build-mode }} | |
| # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs | |
| queries: ${{ matrix.language && 'security-extended, security-and-quality' }} | |
| - if: matrix.build-mode == 'manual' | |
| shell: bash | |
| run: | | |
| cd example | |
| npx -v | |
| yarn install | |
| cd android | |
| ./gradlew compileKotlin compileJava --no-daemon --no-build-cache | |
| - name: Perform CodeQL Analysis | |
| uses: github/codeql-action/analyze@v4 | |
| with: | |
| category: "/language:${{matrix.language}}" | |
| Build_Analyze_iOS_Example: | |
| name: Analyze (${{ matrix.language }}) | |
| timeout-minutes: 120 | |
| env: | |
| TURBO_CACHE_DIR: .turbo/ios | |
| TURBO_TOKEN: ${{ secrets. TURBO_TOKEN }} | |
| TURBO_TEAM: ${{ secrets. TURBO_TEAM }} | |
| runs-on: ${{ (matrix.language == 'swift' && 'macos-15') || 'ubuntu-latest' }} | |
| permissions: | |
| # required for all workflows | |
| security-events: write | |
| # required to fetch internal or private CodeQL packs | |
| packages: read | |
| # only required for workflows in private repositories | |
| actions: read | |
| contents: read | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| - language: swift | |
| build-mode: manual | |
| steps: | |
| - name: Checkout react-native-sdk | |
| uses: actions/checkout@v4 | |
| - name: Setup | |
| uses: ./.github/actions/setup | |
| # Initializes the CodeQL tools for scanning. | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/init@v4 | |
| with: | |
| languages: ${{ matrix.language }} | |
| build-mode: ${{ matrix.build-mode }} | |
| # If you wish to specify custom queries, you can do so here or in a config file. | |
| # By default, queries listed here will override any specified in a config file. | |
| # Prefix the list here with "+" to use these queries and those in the config file. | |
| # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs | |
| queries: ${{ matrix.language && 'security-extended, security-and-quality' }} | |
| - if: matrix.build-mode == 'manual' | |
| shell: bash | |
| run: | | |
| cd example | |
| yarn install | |
| cd ios | |
| bundle install | |
| bundle exec pod install | |
| xcodebuild -workspace ReactNativeSdkExample.xcworkspace -scheme ReactNativeSdkExample -configuration Debug -destination 'platform=iOS Simulator,name=iPhone 16' build | |
| - name: Perform CodeQL Analysis | |
| uses: github/codeql-action/analyze@v4 | |
| with: | |
| category: "/language:${{matrix.language}}" |