Skip to content

Commit 3231c93

Browse files
authored
ci: add CodeQL code scanning workflow (#722)
1 parent aee92fc commit 3231c93

1 file changed

Lines changed: 144 additions & 0 deletions

File tree

.github/workflows/codeql.yml

Lines changed: 144 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,144 @@
1+
# The contents of this file are subject to the terms of the Common Development and
2+
# Distribution License (the License). You may not use this file except in compliance with the
3+
# License.
4+
#
5+
# You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for the
6+
# specific language governing permission and limitations under the License.
7+
#
8+
# When distributing Covered Software, include this CDDL Header Notice in each file and include
9+
# the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL
10+
# Header, with the fields enclosed by brackets [] replaced by your own identifying
11+
# information: "Portions copyright [year] [name of copyright owner]".
12+
#
13+
# Copyright 2026 3A Systems, LLC.
14+
15+
name: "CodeQL"
16+
17+
on:
18+
push:
19+
branches: [ 'sustaining/4.10.x','master', 'issues/**', 'features/**' ]
20+
pull_request:
21+
branches: [ 'master' ]
22+
schedule:
23+
# Weekly run, Mondays at 03:27 UTC
24+
- cron: '27 3 * * 1'
25+
# Allows running this workflow manually from the Actions tab or via the gh CLI.
26+
workflow_dispatch:
27+
28+
# Cancel superseded runs on the same ref to avoid the long-running,
29+
# eventually-cancelled analyses seen with the previous default setup.
30+
concurrency:
31+
group: ${{ github.workflow }}-${{ github.ref }}
32+
cancel-in-progress: true
33+
34+
permissions:
35+
contents: read
36+
37+
jobs:
38+
analyze:
39+
name: Analyze (${{ matrix.language }})
40+
runs-on: ${{ matrix.os }}
41+
timeout-minutes: 360
42+
permissions:
43+
# Required to upload results to code scanning.
44+
security-events: write
45+
# Only needed for workflows in private repositories.
46+
actions: read
47+
contents: read
48+
49+
strategy:
50+
fail-fast: false
51+
matrix:
52+
include:
53+
# java-kotlin is extracted from source, so build-mode 'none' lets
54+
# CodeQL build its model without invoking Maven. This large
55+
# multi-module Maven build is expensive to compile, and 'none' avoids
56+
# the long, eventually-cancelled autobuild that the previous default
57+
# setup hit.
58+
#
59+
# For higher precision on Java (dataflow through compiled dependencies)
60+
# switch that entry to 'manual' and uncomment the Maven build below.
61+
- language: java-kotlin
62+
os: ubuntu-latest
63+
build-mode: none
64+
# 'actions' scans the workflow YAML under .github/workflows for
65+
# injection, over-privileged permissions and untrusted-input issues.
66+
- language: actions
67+
os: ubuntu-latest
68+
build-mode: none
69+
# 'ruby' (interpreted) covers the few .rb helper/extension scripts.
70+
- language: ruby
71+
os: ubuntu-latest
72+
build-mode: none
73+
# C/C++ (the Windows native launcher/service under
74+
# opendj-server-legacy/src/build-tools/windows) has no 'none' build
75+
# mode, so it is compiled manually with nmake/MSVC on Windows, exactly
76+
# as the main Build workflow does.
77+
- language: c-cpp
78+
os: windows-latest
79+
build-mode: manual
80+
81+
steps:
82+
- name: Checkout repository
83+
uses: actions/checkout@v7
84+
with:
85+
submodules: recursive
86+
87+
- name: Initialize CodeQL
88+
uses: github/codeql-action/init@v4
89+
with:
90+
languages: ${{ matrix.language }}
91+
build-mode: ${{ matrix.build-mode }}
92+
queries: security-and-quality
93+
# Exclude test and integration-test sources. With build-mode 'none'
94+
# CodeQL extracts straight from source, so paths-ignore reliably
95+
# scopes the analysis (it is honored for compiled languages only when
96+
# build-mode is 'none').
97+
config: |
98+
paths-ignore:
99+
- '**/src/test/**'
100+
- '**/src/it/**'
101+
102+
# --- C/C++ manual build (Windows native executables) -----------------
103+
- name: Setup MSVC Developer Command Prompt (x86)
104+
if: matrix.language == 'c-cpp'
105+
uses: ilammy/msvc-dev-cmd@v1
106+
env:
107+
# Opt in to Node.js 24 for this action, which still ships on Node.js 20.
108+
# See https://github.com/ilammy/msvc-dev-cmd/issues/99
109+
FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
110+
with:
111+
arch: x86
112+
- name: Build Windows native executables
113+
if: matrix.language == 'c-cpp'
114+
shell: cmd
115+
run: |
116+
cd opendj-server-legacy\src\build-tools\windows
117+
nmake all
118+
# ---------------------------------------------------------------------
119+
120+
# --- Java manual build (only used if the java entry is set to 'manual')
121+
# - name: Set up JDK 11
122+
# if: matrix.language == 'java-kotlin'
123+
# uses: actions/setup-java@v5
124+
# with:
125+
# java-version: '11'
126+
# distribution: 'zulu'
127+
# - name: Cache Maven packages
128+
# if: matrix.language == 'java-kotlin'
129+
# uses: actions/cache@v6
130+
# with:
131+
# path: ~/.m2/repository
132+
# key: ${{ runner.os }}-m2-repository-${{ hashFiles('**/pom.xml') }}
133+
# restore-keys: ${{ runner.os }}-m2-repository
134+
# - name: Build with Maven
135+
# if: matrix.language == 'java-kotlin'
136+
# env:
137+
# MAVEN_OPTS: -Dhttps.protocols=TLSv1.2 -Dmaven.wagon.httpconnectionManager.ttlSeconds=120 -Dmaven.wagon.http.retryHandler.requestSentEnabled=true -Dmaven.wagon.http.retryHandler.count=10
138+
# run: mvn --batch-mode --errors -DskipTests -Dmaven.test.skip=true clean compile --file pom.xml
139+
# ---------------------------------------------------------------------
140+
141+
- name: Perform CodeQL Analysis
142+
uses: github/codeql-action/analyze@v4
143+
with:
144+
category: "/language:${{ matrix.language }}"

0 commit comments

Comments
 (0)