codeql-action/.github/workflows/__upload-sarif.yml at main · github/codeql-action · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
# Warning: This file is generated automatically, and should not be modified.
# Instead, please modify the template in the pr-checks directory and run:
#     pr-checks/sync.sh
# to regenerate this file.

name: PR Check - Test different uses of `upload-sarif`
env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
on:
  push:
    branches:
      - main
      - releases/v*
  pull_request:
    types:
      - opened
      - synchronize
      - reopened
      - ready_for_review
  merge_group:
    types:
      - checks_requested
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
    inputs:
      dotnet-version:
        type: string
        description: The version of .NET to install
        required: false
        default: 9.x
      go-version:
        type: string
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
  workflow_call:
    inputs:
      dotnet-version:
        type: string
        description: The version of .NET to install
        required: false
        default: 9.x
      go-version:
        type: string
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
defaults:
  run:
    shell: bash
concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
  group: upload-sarif-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
jobs:
  upload-sarif:
    strategy:
      fail-fast: false
      matrix:
        include:
          - os: ubuntu-latest
            version: default
            analysis-kinds: code-scanning
          - os: ubuntu-latest
            version: default
            analysis-kinds: code-quality
          - os: ubuntu-latest
            version: default
            analysis-kinds: code-scanning,code-quality
    name: Test different uses of `upload-sarif`
    if: github.triggering_actor != 'dependabot[bot]'
    permissions:
      contents: read
      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
        uses: actions/checkout@v6
      - name: Install .NET
        uses: actions/setup-dotnet@v5
        with:
          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - name: Install Go
        uses: actions/setup-go@v6
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
        with:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
      - uses: ./../action/init
        with:
          tools: ${{ steps.prepare-test.outputs.tools-url }}
          languages: csharp,java,javascript,python
          analysis-kinds: ${{ matrix.analysis-kinds }}
      - name: Build code
        run: ./build.sh
      # Generate some SARIF we can upload with the upload-sarif step
      - uses: ./../action/analyze
        with:
          ref: 'refs/heads/main'
          sha: '5e235361806c361d4d3f8859e3c897658025a9a2'
          upload: never
          output: ${{ runner.temp }}/results

      - name: |
          Upload all SARIF files for `analysis-kinds: ${{ matrix.analysis-kinds }}`
        uses: ./../action/upload-sarif
        id: upload-sarif
        with:
          ref: 'refs/heads/main'
          sha: '5e235361806c361d4d3f8859e3c897658025a9a2'
          sarif_file: ${{ runner.temp }}/results
          category: |
            ${{ github.workflow }}:upload-sarif/analysis-kinds:${{ matrix.analysis-kinds }}/os:${{ matrix.os }}/version:${{ matrix.version }}/test:all-files/
      - name: 'Fail for missing output from `upload-sarif` step for `code-scanning`'
        if: contains(matrix.analysis-kinds, 'code-scanning') && !(fromJSON(steps.upload-sarif.outputs.sarif-ids).code-scanning)
        run: exit 1
      - name: 'Fail for missing output from `upload-sarif` step for `code-quality`'
        if: contains(matrix.analysis-kinds, 'code-quality') && !(fromJSON(steps.upload-sarif.outputs.sarif-ids).code-quality)
        run: exit 1

      - name: Upload single SARIF file for Code Scanning
        uses: ./../action/upload-sarif
        id: upload-single-sarif-code-scanning
        if: contains(matrix.analysis-kinds, 'code-scanning')
        with:
          ref: 'refs/heads/main'
          sha: '5e235361806c361d4d3f8859e3c897658025a9a2'
          sarif_file: ${{ runner.temp }}/results/javascript.sarif
          category: |
            ${{ github.workflow }}:upload-sarif/analysis-kinds:${{ matrix.analysis-kinds }}/os:${{ matrix.os }}/version:${{ matrix.version }}/test:single-code-scanning/
      - name: 'Fail for missing output from `upload-single-sarif-code-scanning` step'
        if: contains(matrix.analysis-kinds, 'code-scanning') && !(fromJSON(steps.upload-single-sarif-code-scanning.outputs.sarif-ids).code-scanning)
        run: exit 1
      - name: Upload single SARIF file for Code Quality
        uses: ./../action/upload-sarif
        id: upload-single-sarif-code-quality
        if: contains(matrix.analysis-kinds, 'code-quality')
        with:
          ref: 'refs/heads/main'
          sha: '5e235361806c361d4d3f8859e3c897658025a9a2'
          sarif_file: ${{ runner.temp }}/results/javascript.quality.sarif
          category: |
            ${{ github.workflow }}:upload-sarif/analysis-kinds:${{ matrix.analysis-kinds }}/os:${{ matrix.os }}/version:${{ matrix.version }}/test:single-code-quality/
      - name: 'Fail for missing output from `upload-single-sarif-code-quality` step'
        if: contains(matrix.analysis-kinds, 'code-quality') && !(fromJSON(steps.upload-single-sarif-code-quality.outputs.sarif-ids).code-quality)
        run: exit 1

      - name: Change SARIF file extension
        if: contains(matrix.analysis-kinds, 'code-scanning')
        run: mv ${{ runner.temp }}/results/javascript.sarif ${{ runner.temp }}/results/javascript.sarif.json
      - name: Upload single non-`.sarif` file
        uses: ./../action/upload-sarif
        id: upload-single-non-sarif
        if: contains(matrix.analysis-kinds, 'code-scanning')
        with:
          ref: 'refs/heads/main'
          sha: '5e235361806c361d4d3f8859e3c897658025a9a2'
          sarif_file: ${{ runner.temp }}/results/javascript.sarif.json
          category: |
            ${{ github.workflow }}:upload-sarif/analysis-kinds:${{ matrix.analysis-kinds }}/os:${{ matrix.os }}/version:${{ matrix.version }}/test:non-sarif/
      - name: 'Fail for missing output from `upload-single-non-sarif` step'
        if: contains(matrix.analysis-kinds, 'code-scanning') && !(fromJSON(steps.upload-single-non-sarif.outputs.sarif-ids).code-scanning)
        run: exit 1
    env:
      CODEQL_ACTION_TEST_MODE: true