Skip to content

CI: CodeQL Unit Testing Advanced #157

CI: CodeQL Unit Testing Advanced

CI: CodeQL Unit Testing Advanced #157

Workflow file for this run

############################
# Author : H0llyW00dzZ #
############################
name: "CI: CodeQL Unit Testing Advanced"
on:
push:
# modify this branch
branches:
- master
paths-ignore:
- '**.md'
- '.github/workflows/**'
pull_request:
branches:
- master
paths-ignore:
- '**.md'
- '.github/workflows/**'
types: [opened, reopened, synchronize]
schedule:
- cron: '0 0 * * *'
# allows you to run this workflow manually
# Adding an `inputs` section to the `workflow_dispatch` event to define a new input parameter called `branch`
workflow_dispatch:
inputs:
branch:
description: 'Branch to scan'
required: true
default: 'master'
jobs:
analyze:
name: Analyze
runs-on: ${{ matrix.language == 'swift' && 'macos-latest' || 'ubuntu-latest' }}
timeout-minutes: ${{ matrix.language == 'swift' && 120 || 360 }}
permissions:
actions: read
contents: read
pull-requests: write
deployments: read
security-events: write
strategy:
fail-fast: false
matrix:
# this can be modified example if your repo is only python then remove 'javascript', 'go'
language: ['go']
steps:
- name: Checkout repository
uses: actions/checkout@v3
with:
ref: ${{ github.event.inputs.branch }}
- name: Detect repository language
id: detect-language
run: |
echo "languages=${{ matrix.language }}" >> $GITHUB_ENV
echo "fileExists=true" >> $GITHUB_ENV
- name: Set up Python
if: ${{ matrix.language == 'python' }}
uses: actions/setup-python@v4
with:
python-version: '3.x'
env:
NODE_VERSION: 18
- name: Install Python dependencies
if: ${{ matrix.language == 'python' && matrix.fileExists }}
run: python -m pip install --upgrade pip && pip install -r requirements.txt
# github need to fix this confusing alias javascript-typescript, because in the end are javascript LMAO
- name: Set up JavaScript/TypeScript
if: ${{ matrix.language == 'javascript' }}
uses: actions/setup-node@v4
with:
node-version: '18'
# note: this useless because in CodeQL about dependencies it's only for compiled language or python
- name: Install JavaScript/TypeScript dependencies
if: ${{ matrix.language == 'javascript' && matrix.fileExists }}
run: npm ci
# note: ignore that warning in `setup up go` because this repo are using standard library, so go.sum not really needed lol
- name: Set up Go
if: ${{ matrix.language == 'go' }}
uses: actions/setup-go@v4
with:
go-version: '1.21.5'
env:
NODE_VERSION: 18
- name: Install Go dependencies
if: ${{ matrix.language == 'go' && matrix.fileExists }}
run: go mod download
# Get CodeQL config from gist
- name: Get config from gist
run: |
mkdir -p .github/codeql
curl -o .github/codeql/codeql-config.yml https://gist.githubusercontent.com/H0llyW00dzZ/230f3422c3be901915f2802d3a3314b1/raw/dbdae057dfeabc6af42d5322c948f563dc8277a1/codeql-config.yml
- name: Initialize CodeQL
id: InitCodeQL
uses: github/codeql-action/init@v2
with:
# Configuration for init codeQL
languages: ${{ env.languages }}
config-file: ./.github/codeql/codeql-config.yml
# Attempt to automatically build code for compiled languages
# Currently only for Go, but more can be added later
- name: Attempt to automatically build code for ${{ matrix.language }}
if: ${{ matrix.language == 'go' }}
uses: github/codeql-action/autobuild@v2
- name: Perform CodeQL-Security Analysis
if: ${{ env.languages != '' }}
id: CodeQL
uses: github/codeql-action/analyze@v2
with:
# disable default upload because using multiple method
upload: false
# snippets for SARIF file
add-snippets: true
- name: Upload ${{ matrix.language }} SARIF for Analysis Result
if: ${{ matrix.language && env.languages != '' }}
id: upload-Analysis_Result-sarif
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: ${{ runner.workspace }}/results/${{ matrix.language }}.sarif
category: "Analysis Result: ${{ matrix.language }}"
# since it public everyone can see in artifact about Analysis Result
# just for incase you can disable this later by block #
- name: Encrypt Analysis Result
if: ${{ matrix.language && env.languages != '' }}
id: Encrypt_Analysis
run: |
curl -sSL "https://github.com/${{ github.repository_owner }}.gpg" -o keyfile
gpg --import keyfile
gpg --encrypt --recipient "$(gpg --list-keys --keyid-format LONG | grep '^pub' | awk '{print $2}' | awk -F'/' '{print $2}')" --trust-model always "${{ runner.workspace }}/results/${{ matrix.language }}.sarif"
- name: Upload Analysis Result As Artifact
uses: actions/upload-artifact@v3
with:
name: Analysis_Result (SARIF + Encrypted)
path: ${{ runner.workspace }}/results/${{ matrix.language }}.sarif.gpg
- name: Check CodeQL Unit Testing status
if: ${{github.event_name == 'pull_request' }}
id: check-status
run: |
if [ -f "${{ runner.workspace }}/results/${{ matrix.language }}.sarif.gpg" ]; then
echo "codeql_status=done" >> $GITHUB_STATE
echo "codeql_status=done" >> $GITHUB_OUTPUT
echo "pull_request_number=${{ github.event.pull_request.number }}" >> $GITHUB_STATE
echo "pull_request_number=${{ github.event.pull_request.number }}" >> $GITHUB_OUTPUT
else
echo "codeql_status=pending" >> $GITHUB_STATE
echo "codeql_status=pending" >> $GITHUB_OUTPUT
fi
- name: PR comment
if: ${{ steps.check-status.outputs.codeql_status == 'done' && github.event_name == 'pull_request' }}
uses: NejcZdovc/comment-pr@v2
with:
message: "CodeQL analysis is complete for PR #${{ steps.check-status.outputs.pull_request_number }}"
github_token: ${{ secrets.GITHUB_TOKEN }}