communication/.github/workflows/codeql.yml at main · SebSparrowHawk/communication · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
# *******************************************************************************
# Copyright (c) 2026 Contributors to the Eclipse Foundation
#
# See the NOTICE file(s) distributed with this work for additional
# information regarding copyright ownership.
#
# This program and the accompanying materials are made available under the
# terms of the Apache License Version 2.0 which is available at
# https://www.apache.org/licenses/LICENSE-2.0
#
# SPDX-License-Identifier: Apache-2.0
# *******************************************************************************

# Workflow: CodeQL analysis — split into database creation and analysis phases.
#
# Phase 1 (create-codeql-database): Builds the codebase with CodeQL tracing
#   and produces a reusable CodeQL database artifact.
#
# Phase 2 (analysis): Downloads the database and runs CodeQL queries.
#   - PR / push to main: runs the incremental (quick) query set defined in
#     config.yaml, which excludes queries tagged "exclude-from-incremental".
#   - Nightly (schedule): runs the full MISRA pack including slow queries.
#
# This split avoids rebuilding the database for each analysis profile and
# enables running different query sets for PR feedback vs nightly compliance.
#
# Reference: https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/uploading-a-sarif-file-to-github

name: CodeQL Analysis

on:
  schedule:
    - cron: '0 2 * * *'  # Nightly at 2 AM UTC
  workflow_dispatch:  # Allow maintainers to trigger manually when needed

permissions:
  contents: read
  security-events: write  # Required to upload SARIF results to GitHub Code Scanning

concurrency:
  group: codeql-${{ github.ref }}
  cancel-in-progress: false  # Never cancel an in-progress CodeQL run; it takes hours

env:
  ANDROID_HOME: ""
  ANDROID_SDK_ROOT: ""
  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true

jobs:
  # ── Phase 1: Create CodeQL database ──────────────────────────────────────
  create-codeql-database:
    runs-on: ubuntu-24.04

    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      - name: Free Disk Space (Ubuntu)
        uses: eclipse-score/more-disk-space@v1
        with:
          level: 4

      - name: Setup Bazel
        uses: castler/setup-bazel@cache-optimized

      - name: Allow linux-sandbox
        uses: ./actions/unblock_user_namespace_for_linux_sandbox

      - name: Create CodeQL database
        run: |
          bazel run //quality/static_analysis:codeql_lint -- \
            --phase create-database \
            --database-path /var/tmp/codeql_databases/codeql_db \
            --target //score/message_passing //score/mw/com

      - name: Upload CodeQL database artifact
        uses: actions/upload-artifact@v4
        with:
          name: codeql-database
          path: /var/tmp/codeql_databases/codeql_db
          retention-days: 1

  # ── Phase 2: Full analysis (nightly) ─────────────────────────────────────
  analyze-nightly:
    needs: create-codeql-database
    runs-on: ubuntu-24.04

    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      - name: Free Disk Space (Ubuntu)
        uses: eclipse-score/more-disk-space@v1
        with:
          level: 4

      - name: Setup Bazel
        uses: castler/setup-bazel@cache-optimized

      - name: Allow linux-sandbox
        uses: ./actions/unblock_user_namespace_for_linux_sandbox

      - name: Download CodeQL database
        uses: actions/download-artifact@v4
        with:
          name: codeql-database
          path: /var/tmp/codeql_databases/codeql_db

      - name: Run CodeQL analysis (full — all MISRA rules)
        run: |
          bazel run //quality/static_analysis:codeql_lint -- \
            --phase analyze-database \
            --database-path /var/tmp/codeql_databases/codeql_db \
            --output-dir /tmp/codeql-results \
            --output-prefix codeql-nightly

      - name: Upload SARIF to GitHub Code Scanning
        uses: github/codeql-action/upload-sarif@v4
        with:
          sarif_file: /tmp/codeql-results/codeql-nightly.sarif
          category: codeql-nightly

      - name: Upload CSV results
        uses: actions/upload-artifact@v4
        with:
          name: codeql-csv-results
          path: /tmp/codeql-results/codeql-nightly.csv
          retention-days: 30