-
Notifications
You must be signed in to change notification settings - Fork 0
144 lines (133 loc) · 5.57 KB
/
codeql.yml
File metadata and controls
144 lines (133 loc) · 5.57 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
name: CodeQL
# Advanced CodeQL setup. Replaces the repo's previous "default setup" because
# autobuild can't locate our nested Swift Xcode project at
# scripts/rn-fast-runner/RnFastRunner/RnFastRunner.xcodeproj or our nested
# Android Gradle project at scripts/rn-android-runner/. This workflow runs
# each language's correct build command and lets CodeQL trace the resulting
# artifacts.
#
# Swift is the slow one: it needs a real `xcodebuild` compile on a macOS runner
# (CodeQL has no build-mode:none for Swift), ~17 min including runner spin-up.
# The `changes` pre-job skips the Swift build+analysis on PRs that don't touch
# Swift/Xcode files (most PRs) — the previous analysis on main still applies,
# and push-to-main + the weekly schedule always run the full scan as a backstop.
#
# All ${{ }} interpolations here read from matrix.*, needs.*, and github.* (event
# name only) — they do not interpolate untrusted github.event.* text into shell.
# The base SHA is passed through `env:` (not inline) so it can't be injected.
# https://github.blog/security/vulnerability-research/how-to-catch-github-actions-workflow-injections-before-attackers-do/
on:
push:
branches: [ main ]
pull_request:
branches: [ main ]
schedule:
- cron: '20 12 * * 4'
jobs:
# Fast (ubuntu, ~30s) pre-flight: does the slow macOS Swift analysis need to run?
# PR → only when Swift/Xcode files (or this workflow) changed; push/schedule → always.
changes:
name: Detect changed languages
runs-on: ubuntu-latest
outputs:
swift: ${{ steps.detect.outputs.swift }}
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Detect Swift/Xcode changes
id: detect
env:
EVENT_NAME: ${{ github.event_name }}
BASE_SHA: ${{ github.event.pull_request.base.sha }}
run: |
set -euo pipefail
# Non-PR events (push to main, weekly schedule) always run the full Swift scan.
if [ "$EVENT_NAME" != "pull_request" ]; then
echo "swift=true" >> "$GITHUB_OUTPUT"
exit 0
fi
# PR: run Swift only when Swift sources, the Xcode project, or this
# workflow itself changed. BASE_SHA comes via env (injection-safe).
if git diff --name-only "$BASE_SHA"...HEAD \
| grep -qE '^scripts/rn-fast-runner/|^\.github/workflows/codeql\.yml$'; then
echo "swift=true" >> "$GITHUB_OUTPUT"
else
echo "swift=false" >> "$GITHUB_OUTPUT"
fi
analyze:
name: Analyze (${{ matrix.language }})
needs: changes
runs-on: ${{ matrix.os }}
timeout-minutes: 30
permissions:
actions: read
contents: read
security-events: write
strategy:
fail-fast: false
matrix:
include:
- language: javascript-typescript
os: ubuntu-latest
build-mode: none
- language: actions
os: ubuntu-latest
build-mode: none
- language: java-kotlin
os: ubuntu-latest
build-mode: manual
- language: swift
os: macos-15
build-mode: manual
steps:
- name: Checkout
uses: actions/checkout@v4
# Swift unchanged on this PR → report green fast (the "Analyze (swift)" check
# still posts) without the ~17 min macOS build. Non-swift languages are fast
# (build-mode:none on ubuntu) and always analyze.
- name: Skip notice (Swift unchanged)
if: ${{ matrix.language == 'swift' && needs.changes.outputs.swift != 'true' }}
run: echo "No Swift/Xcode changes in this PR — skipping the macOS build + CodeQL analysis. The previous analysis on main still applies; push-to-main and the weekly scheduled scan re-check."
- name: Set up Java (Android Gradle)
if: ${{ matrix.language == 'java-kotlin' }}
uses: actions/setup-java@v4
with:
distribution: temurin
java-version: '17'
- name: Initialize CodeQL
if: ${{ matrix.language != 'swift' || needs.changes.outputs.swift == 'true' }}
uses: github/codeql-action/init@v4
with:
languages: ${{ matrix.language }}
build-mode: ${{ matrix.build-mode }}
- name: Build rn-android-runner
if: ${{ matrix.language == 'java-kotlin' }}
working-directory: scripts/rn-android-runner
run: ./gradlew :app:assembleDebugAndroidTest --no-daemon
# Use the macos-15 runner's preinstalled Xcode (16.x); skip the slow
# `maxim-lobanov/setup-xcode` action. Build for the iphonesimulator SDK
# without requiring a specific device — CodeQL only needs the compile
# commands traced, not a runnable test bundle.
- name: Build rn-fast-runner
if: ${{ matrix.language == 'swift' && needs.changes.outputs.swift == 'true' }}
working-directory: scripts/rn-fast-runner/RnFastRunner
run: |
set -euo pipefail
xcodebuild -version
xcodebuild build \
-project RnFastRunner.xcodeproj \
-scheme RnFastRunner \
-sdk iphonesimulator \
-configuration Debug \
-derivedDataPath ../build/DerivedData \
CODE_SIGNING_ALLOWED=NO \
CODE_SIGN_IDENTITY="" \
CODE_SIGNING_REQUIRED=NO \
ONLY_ACTIVE_ARCH=YES
- name: Perform CodeQL Analysis
if: ${{ matrix.language != 'swift' || needs.changes.outputs.swift == 'true' }}
uses: github/codeql-action/analyze@v4
with:
category: "/language:${{ matrix.language }}"