-
Notifications
You must be signed in to change notification settings - Fork 210
130 lines (108 loc) · 3.83 KB
/
codeql-daily.yml
File metadata and controls
130 lines (108 loc) · 3.83 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
name: CodeQL (daily)
on:
schedule:
- cron: '30 1 * * *'
workflow_dispatch:
push:
branches:
- '**'
jobs:
# ===== Java Analysis Job =====
analyze-java:
name: "Analyze Java Code"
permissions:
actions: read
security-events: write
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Set up Java 17
uses: actions/setup-java@v4
with:
distribution: temurin
java-version: 17
- name: Setup Gradle
uses: gradle/actions/setup-gradle@v4
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: java
debug: true
- name: Build Java code
run: ./gradlew assemble --no-build-cache
# Skip build cache for full code analysis
- name: Perform CodeQL analysis
uses: github/codeql-action/analyze@v3
with:
category: java
# ===== C++ Analysis Job =====
analyze-cpp:
name: "Analyze C++ Code"
permissions:
actions: read
security-events: write
runs-on: windows-latest
steps:
- uses: actions/checkout@v4
- name: Set up Java 17 (required for JNI compilation)
uses: actions/setup-java@v4
with:
distribution: temurin
java-version: 17
- name: Setup Visual Studio Build Tools
uses: microsoft/setup-msbuild@v1
- name: Set up Windows SDK
uses: ilammy/msvc-dev-cmd@v1
- name: Setup Gradle
uses: gradle/actions/setup-gradle@v4
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: cpp
debug: true
config-file: .github/codeql-config.yml
- name: Build C++ code
shell: powershell
id: build-cpp
run: |
# Configure environment for C++ build
$winSdkPath = (Get-ChildItem "C:\Program Files (x86)\Windows Kits\10\include" | Select-Object -Last 1).FullName
Write-Host "Using Windows SDK from path: $winSdkPath"
# Set environment variables
$env:APPINSIGHTS_WIN10_SDK_PATH = "C:\Program Files (x86)\Windows Kits\10"
$env:APPINSIGHTS_VS_PATH = $env:VsInstallRoot
$env:JAVA_HOME = $env:JAVA_HOME_17_X64
Write-Host "APPINSIGHTS_WIN10_SDK_PATH: $env:APPINSIGHTS_WIN10_SDK_PATH"
Write-Host "APPINSIGHTS_VS_PATH: $env:APPINSIGHTS_VS_PATH"
Write-Host "JAVA_HOME: $env:JAVA_HOME"
# Build the native code
try {
./gradlew "-Dai.etw.native.build=release" :etw:native:build --info
echo "CPP_BUILD_SUCCEEDED=true" | Out-File -FilePath $env:GITHUB_ENV -Append
} catch {
Write-Host "Native C++ build failed with error: $_"
# Ensure CodeQL can still scan the files by touching them
Get-ChildItem -Path "etw/native/src" -Recurse -Filter "*.cpp" | Foreach-Object {
Write-Host "Touching file: $($_.FullName)"
(Get-Item $_.FullName).LastWriteTime = Get-Date
}
echo "CPP_BUILD_SUCCEEDED=false" | Out-File -FilePath $env:GITHUB_ENV -Append
}
- name: Perform CodeQL analysis
uses: github/codeql-action/analyze@v3
with:
category: cpp
- name: Report C++ build status
if: env.CPP_BUILD_SUCCEEDED == 'false'
run: |
echo "::warning::C++ build failed but CodeQL scan was attempted anyway. Some C++ issues may not be detected."
scheduled-job-notification:
permissions:
issues: write
needs:
- analyze-java
- analyze-cpp
if: always()
uses: ./.github/workflows/reusable-scheduled-job-notification.yml
with:
success: ${{ needs.analyze-java.result == 'success' && needs.analyze-cpp.result == 'success' }}