Update codeql run for successful build

lundman · lundman · commit 40ef3ce3587d · 2026-04-15T10:00:03.000+09:00
Signed-off-by: Jorgen Lundman &lt;lundman@lundman.net&gt;
diff --git a/.github/workflows/codeql-windows.yml b/.github/workflows/codeql-windows.yml
@@ -1,69 +1,86 @@
-######################################################################################
-#                                                                                    #
-#    If you're looking for instructions on how to build this under windows go to     #
-#https://github.com/openzfsonwindows/openzfs/blob/windows/module/os/windows/README.md#
-#                                                                                    #
-######################################################################################
-
-name: "CodeQL windows"
+name: CodeQL Windows
 
 on:
   push:
+    branches:
+      - zfs-Windows-*-release
+    tags-ignore:
+      - '*'
   pull_request:
-
-env:
-  # Customize the CMake build type here (Release, Debug, RelWithDebInfo, etc.)
-  BUILD_TYPE: Debug
+    branches:
+      - zfs-Windows-*-release
+  workflow_dispatch:
 
 jobs:
   analyze:
-    name: Analyze
-    timeout-minutes: 120
-    # The CMake configure and build commands are platform agnostic and should work equally well on Windows or Mac.
-    # You can convert this to a matrix build if you need cross-platform coverage.
-    # See: https://docs.github.com/en/free-pro-team@latest/actions/learn-github-actions/managing-complex-workflows#using-a-build-matrix
     runs-on: windows-latest
     permissions:
-        actions: read
-        contents: read
-        security-events: write
+      actions: read
+      contents: read
+      security-events: write
 
     steps:
-    - uses: ilammy/msvc-dev-cmd@v1
+      - uses: ilammy/msvc-dev-cmd@v1
+
+      - uses: actions/checkout@v5
+        with:
+          fetch-depth: 0
+          submodules: recursive
+
+      - uses: actions/checkout@v5
+        with:
+          repository: openzfsonwindows/openssl
+          ref: openssl-3.5.5
+          path: openssl
+
+      - name: Install WDK via NuGet
+        shell: pwsh
+        run: |
+          nuget install Microsoft.Windows.WDK.x64 `
+            -Version 10.0.26100.6584 `
+            -OutputDirectory "${{ github.workspace }}\packages" `
+            -Source https://api.nuget.org/v3/index.json
+
+      - name: Set WDK and SDK roots
+        shell: pwsh
+        run: |
+          $wdk = Get-ChildItem "${{ github.workspace }}\packages" -Directory |
+            Where-Object { $_.Name -like "Microsoft.Windows.WDK.x64.*" } |
+            Sort-Object Name -Descending |
+            Select-Object -First 1
 
-    - uses: actions/checkout@v3
-      with:
-        #repository: openzfsonwindows/openzfs
-        fetch-depth: 0
+          $sdk = Get-ChildItem "${{ github.workspace }}\packages" -Directory |
+            Where-Object { $_.Name -like "Microsoft.Windows.SDK.CPP.*" -and $_.Name -notlike "*.x64.*" } |
+            Sort-Object Name -Descending |
+            Select-Object -First 1
 
-    - name: Import signing certificate
-      run: |
-        $plaintextpwd = 'password1234'
-        $pwd = ConvertTo-SecureString -String $plaintextpwd -Force -AsPlainText
-        Import-PfxCertificate -FilePath ${{github.workspace}}/contrib/windows/TestCert/test_sign_cert_pass.pfx -CertStoreLocation Cert:\CurrentUser\My -Password $pwd -Exportable
+          "WDKContentRoot=$($wdk.FullName)\c" | Out-File -FilePath $env:GITHUB_ENV -Append
+          "WINSDK_NUGET_ROOT=$($sdk.FullName)\c" | Out-File -FilePath $env:GITHUB_ENV -Append
 
-    - name: Checkout openssl
-      uses: actions/checkout@v3
-      with:
-        repository: andrewc12/openssl # optional, default is ${{ github.repository }}
-        path: openssl # optional
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: c-cpp
+          build-mode: manual
 
-    # Initializes the CodeQL tools for scanning.
-    - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2
-        # Override language selection by uncommenting this and choosing your languages
-      with:
-          languages: cpp
+      - name: Create test signing certificate
+        shell: pwsh
+        run: |
+          # only if your build still needs signing during compile/link
 
-    - name: Configure CMake
-      # Configure CMake in a 'build' subdirectory. `CMAKE_BUILD_TYPE` is only required if you are using a single-configuration generator such as make.
-      # See https://cmake.org/cmake/help/latest/variable/CMAKE_BUILD_TYPE.html?highlight=cmake_build_type
-      run: cmake -G "Ninja" -B ${{github.workspace}}/out/build/x64-Debug ${{github.workspace}}  -DOPENSSL_ROOT_DIR=${{github.workspace}}/openssl/ -DCRYPTO_STATIC_TEST=${{github.workspace}}/openssl/lib/VC/static/libcrypto64MTd.lib -DLIB_EAY_DEBUG=${{github.workspace}}/openssl/lib/VC/static/libcrypto64MTd.lib -DLIB_EAY_RELEASE=${{github.workspace}}/openssl/lib/VC/static/libcrypto64MT.lib -DOPENSSL_INCLUDE_DIR=${{github.workspace}}/openssl/include -DSSL_EAY_DEBUG=${{github.workspace}}/openssl/lib/VC/static/libssl64MTd.lib -DSSL_EAY_RELEASE=${{github.workspace}}/openssl/lib/VC/static/libssl64MT.lib
+      - name: Configure CMake
+        shell: pwsh
+        run: |
+          cmake -E env WDKContentRoot="$env:WDKContentRoot" WINSDK_NUGET_ROOT="$env:WINSDK_NUGET_ROOT" `
+            cmake -G "Ninja" `
+            -B "${{ github.workspace }}/out/build/x64-Debug" `
+            "${{ github.workspace }}" `
+            ...
 
-    - name: Build
-      working-directory: ${{github.workspace}}/out/build/x64-Debug
-      # Build your program with the given configuration
-      run: cmake --build ${{github.workspace}}/out/build/x64-Debug
+      - name: Build
+        shell: pwsh
+        run: |
+          cmake --build "${{ github.workspace }}/out/build/x64-Debug" --parallel
 
-    - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2
+      - name: Analyze
+        uses: github/codeql-action/analyze@v3
