CI: CodeQL Unit Testing Advanced #169
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
############################ | |
# Author : H0llyW00dzZ # | |
############################ | |
name: "CI: CodeQL Unit Testing Advanced" | |
on: | |
push: | |
# modify this branch | |
branches: | |
- master | |
paths-ignore: | |
- '**.md' | |
- '.github/workflows/**' | |
pull_request: | |
branches: | |
- master | |
paths-ignore: | |
- '**.md' | |
- '.github/workflows/**' | |
types: [opened, reopened, synchronize] | |
schedule: | |
- cron: '0 0 * * *' | |
# allows you to run this workflow manually | |
# Adding an `inputs` section to the `workflow_dispatch` event to define a new input parameter called `branch` | |
workflow_dispatch: | |
inputs: | |
branch: | |
description: 'Branch to scan' | |
required: true | |
default: 'master' | |
jobs: | |
analyze: | |
name: Analyze | |
runs-on: ${{ matrix.language == 'swift' && 'macos-latest' || 'ubuntu-latest' }} | |
timeout-minutes: ${{ matrix.language == 'swift' && 120 || 360 }} | |
permissions: | |
actions: read | |
contents: read | |
pull-requests: write | |
deployments: read | |
security-events: write | |
strategy: | |
fail-fast: false | |
matrix: | |
# this can be modified example if your repo is only python then remove 'javascript', 'go' | |
language: ['go'] | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@v3 | |
with: | |
ref: ${{ github.event.inputs.branch }} | |
- name: Detect repository language | |
id: detect-language | |
run: | | |
echo "languages=${{ matrix.language }}" >> $GITHUB_ENV | |
echo "fileExists=true" >> $GITHUB_ENV | |
- name: Set up Python | |
if: ${{ matrix.language == 'python' }} | |
uses: actions/setup-python@v4 | |
with: | |
python-version: '3.x' | |
env: | |
NODE_VERSION: 18 | |
- name: Install Python dependencies | |
if: ${{ matrix.language == 'python' && matrix.fileExists }} | |
run: python -m pip install --upgrade pip && pip install -r requirements.txt | |
# github need to fix this confusing alias javascript-typescript, because in the end are javascript LMAO | |
- name: Set up JavaScript/TypeScript | |
if: ${{ matrix.language == 'javascript' }} | |
uses: actions/setup-node@v4 | |
with: | |
node-version: '18' | |
# note: this useless because in CodeQL about dependencies it's only for compiled language or python | |
- name: Install JavaScript/TypeScript dependencies | |
if: ${{ matrix.language == 'javascript' && matrix.fileExists }} | |
run: npm ci | |
# note: ignore that warning in `setup up go` because this repo are using standard library, so go.sum not really needed lol | |
- name: Set up Go | |
if: ${{ matrix.language == 'go' }} | |
uses: actions/setup-go@v4 | |
with: | |
go-version: '1.21.5' | |
env: | |
NODE_VERSION: 18 | |
- name: Install Go dependencies | |
if: ${{ matrix.language == 'go' && matrix.fileExists }} | |
run: go mod download | |
# Get CodeQL config from gist | |
- name: Get config from gist | |
run: | | |
mkdir -p .github/codeql | |
curl -o .github/codeql/codeql-config.yml https://gist.githubusercontent.com/H0llyW00dzZ/230f3422c3be901915f2802d3a3314b1/raw/dbdae057dfeabc6af42d5322c948f563dc8277a1/codeql-config.yml | |
- name: Initialize CodeQL | |
id: InitCodeQL | |
uses: github/codeql-action/init@v2 | |
with: | |
# Configuration for init codeQL | |
languages: ${{ env.languages }} | |
config-file: ./.github/codeql/codeql-config.yml | |
# Attempt to automatically build code for compiled languages | |
# Currently only for Go, but more can be added later | |
- name: Attempt to automatically build code for ${{ matrix.language }} | |
if: ${{ matrix.language == 'go' }} | |
uses: github/codeql-action/autobuild@v2 | |
- name: Perform CodeQL-Security Analysis | |
if: ${{ env.languages != '' }} | |
id: CodeQL | |
uses: github/codeql-action/analyze@v2 | |
with: | |
# disable default upload because using multiple method | |
upload: false | |
# snippets for SARIF file | |
add-snippets: true | |
- name: Upload ${{ matrix.language }} SARIF for Analysis Result | |
if: ${{ matrix.language && env.languages != '' }} | |
id: upload-Analysis_Result-sarif | |
uses: github/codeql-action/upload-sarif@v2 | |
with: | |
sarif_file: ${{ runner.workspace }}/results/${{ matrix.language }}.sarif | |
category: "Analysis Result: ${{ matrix.language }}" | |
# since it public everyone can see in artifact about Analysis Result | |
# just for incase you can disable this later by block # | |
- name: Encrypt Analysis Result | |
if: ${{ matrix.language && env.languages != '' }} | |
id: Encrypt_Analysis | |
run: | | |
curl -sSL "https://github.com/${{ github.repository_owner }}.gpg" -o keyfile | |
gpg --import keyfile | |
gpg --encrypt --recipient "$(gpg --list-keys --keyid-format LONG | grep '^pub' | awk '{print $2}' | awk -F'/' '{print $2}')" --trust-model always "${{ runner.workspace }}/results/${{ matrix.language }}.sarif" | |
- name: Upload Analysis Result As Artifact | |
uses: actions/upload-artifact@v3 | |
with: | |
name: Analysis_Result (SARIF + Encrypted) | |
path: ${{ runner.workspace }}/results/${{ matrix.language }}.sarif.gpg | |
- name: Check CodeQL Unit Testing status | |
if: ${{github.event_name == 'pull_request' }} | |
id: check-status | |
run: | | |
if [ -f "${{ runner.workspace }}/results/${{ matrix.language }}.sarif.gpg" ]; then | |
echo "codeql_status=done" >> $GITHUB_STATE | |
echo "codeql_status=done" >> $GITHUB_OUTPUT | |
echo "pull_request_number=${{ github.event.pull_request.number }}" >> $GITHUB_STATE | |
echo "pull_request_number=${{ github.event.pull_request.number }}" >> $GITHUB_OUTPUT | |
else | |
echo "codeql_status=pending" >> $GITHUB_STATE | |
echo "codeql_status=pending" >> $GITHUB_OUTPUT | |
fi | |
- name: PR comment | |
if: ${{ steps.check-status.outputs.codeql_status == 'done' && github.event_name == 'pull_request' }} | |
uses: NejcZdovc/comment-pr@v2 | |
with: | |
message: "CodeQL analysis is complete for PR #${{ steps.check-status.outputs.pull_request_number }}" | |
github_token: ${{ secrets.GITHUB_TOKEN }} |