Skip to content

Commit d8217f5

Browse files
committed
ci: add CodeQL static analysis
Signed-off-by: Joshua Temple <joshua.temple@stablekernel.com>
1 parent f4100d1 commit d8217f5

1 file changed

Lines changed: 77 additions & 0 deletions

File tree

.github/workflows/codeql.yml

Lines changed: 77 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,77 @@
1+
name: CodeQL
2+
3+
# Static analysis (SAST) over the Go sources. Runs on every PR and on pushes to
4+
# the default branch, plus a weekly scheduled scan so newly published query
5+
# packs catch existing code. Results land in the code-scanning dashboard.
6+
on:
7+
push:
8+
branches: [ main ]
9+
pull_request:
10+
branches: [ main ]
11+
schedule:
12+
- cron: '24 6 * * 1'
13+
14+
# Read-only by default; the analyze job opts into security-events:write.
15+
permissions:
16+
contents: read
17+
18+
concurrency:
19+
group: codeql-${{ github.ref }}
20+
cancel-in-progress: true
21+
22+
jobs:
23+
analyze:
24+
name: Analyze (Go)
25+
runs-on: ubuntu-latest
26+
permissions:
27+
# Required to upload CodeQL results to the code-scanning dashboard.
28+
security-events: write
29+
contents: read
30+
steps:
31+
- name: Checkout
32+
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
33+
with:
34+
persist-credentials: false
35+
36+
# cache: false is deliberate. CodeQL's Go extractor only sees code that is
37+
# actually compiled while it traces the build; a warm build cache (shared
38+
# with the other CI jobs) would make `go build` a no-op and yield "no source
39+
# code seen during build". Starting cold guarantees real compilation.
40+
- uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
41+
with:
42+
go-version: "1.26.4"
43+
cache: false
44+
45+
# Go does not support build-mode: none, so extraction is traced through a
46+
# real build. There is no root module to build and the SDK-backed sink
47+
# destinations live outside the workspace, so the manual build walks the
48+
# in-workspace modules (the same set ci.yml lints and tests) and compiles
49+
# each under the CodeQL tracer.
50+
- name: Initialize CodeQL
51+
uses: github/codeql-action/init@d77b13a0df3134d64a457ea9003f600b09fa1c8a # v3.36.1
52+
with:
53+
languages: go
54+
build-mode: manual
55+
56+
- name: Build (CodeQL tracing)
57+
shell: bash
58+
env:
59+
MODULES: "state state/expr durable cluster transport wasm e2e examples/fooddelivery examples/dispatch telemetry telemetry/slog telemetry/otel telemetry/datadog sink sink/bridge sink/file sink/http sink/prometheus sink/slog"
60+
run: |
61+
# Force a cold build cache so every package is recompiled under the
62+
# CodeQL tracer (otherwise nothing is extracted; see cache: false above).
63+
go clean -cache
64+
# Build from inside each module dir (cd, not `go build -C`): the
65+
# extractor traces the in-process compiles, and `-C` re-execs the go
66+
# command in a way the tracer does not follow, which yields an empty
67+
# database ("no source code seen during build").
68+
for module in $MODULES; do
69+
echo "::group::build ($module)"
70+
( cd "$module" && go build ./... )
71+
echo "::endgroup::"
72+
done
73+
74+
- name: Perform CodeQL analysis
75+
uses: github/codeql-action/analyze@d77b13a0df3134d64a457ea9003f600b09fa1c8a # v3.36.1
76+
with:
77+
category: "/language:go"

0 commit comments

Comments
 (0)