Skip to content

Commit

Permalink
Fix nasa#412, resolve error in CodeQL Analyze Action
Browse files Browse the repository at this point in the history
Fixes errors in CodeQL results uploads step.

Update parameters in CodeQL "reusable" workflow.

BREAKING Interface changes:

- Renames callable workflow to `codeql-reusable.yml`, submodules will
have to be updated
- Adds required `component-path` input parameter
- Repurpose tests input to be a boolean tied to "ENABLE_UNIT_TESTS" flag

Internal changes:

- Use git clone instead of checkout@v2 for the cFS-Bundle
- Use symlink to map calling repo workspace to expected cFS Bundle directory location

- Enable "code snippets" option to CodeQL Analyze action
- Archives sarif files from analysis output
- Removes code duplication by using a matrix build for security and coding standard analyses
- Alphabetizes workflow inputs and order based on "required" flag
  • Loading branch information
astrogeco committed Feb 3, 2022
1 parent 1d80995 commit 2c7f4a7
Show file tree
Hide file tree
Showing 2 changed files with 101 additions and 82 deletions.
18 changes: 15 additions & 3 deletions .github/workflows/codeql-analysis.yml
Original file line number Diff line number Diff line change
@@ -1,10 +1,22 @@
name: Reuse CodeQl Analysis
name: "CodeQL Analysis: cFS-Bundle"

on:
push:
paths-ignore:
- '**/*.md'
- '**/*.txt'
- '**/*.dox'

pull_request:
paths-ignore:
- '**/*.md'
- '**/*.txt'
- '**/*.dox'

jobs:
codeql:
name: CodeQL Analysis
uses: nasa/cFS/.github/workflows/codeql-build.yml@main
uses: astrogeco/cFS/.github/workflows/codeql-reusable.yml@fix-codeql-workflow
with:
component-path: cFS
make: make -j8
test: true
165 changes: 86 additions & 79 deletions .github/workflows/codeql-reusable.yml
Original file line number Diff line number Diff line change
@@ -1,30 +1,51 @@
name: "CodeQL Analysis"
name: "CodeQL Reusable Workflow"

on:
workflow_call:
inputs:
setup:
description: 'Build Prep'
# REQUIRED Inputs
component-path:
description: 'Path to repo being tested in a cFS bundle setup'
type: string
default: 'cp ./cfe/cmake/Makefile.sample Makefile && cp -r ./cfe/cmake/sample_defs sample_defs'
make-prep:
description: 'Make Prep'
required: true
default: cFS

# Optional inputs
category:
description: 'Analysis Category'
required: false
type: string
default: ''

make:
description: 'Make Copy'
description: 'Build Command'
default: '' #Typically `make` or `make install`. Default is blank for workflows that don't need to build source
required: false
type: string
default: 'make'
tests:
description: 'Tests'

prep:
description: 'Make Prep'
default: make prep
required: false
type: string

setup:
description: 'Build Prep Commands'
type: string
default: cp ./cfe/cmake/Makefile.sample Makefile && cp -r ./cfe/cmake/sample_defs sample_defs
required: false

test:
description: 'Value for ENABLE_UNIT_TESTS flag'
type: string
default: ''
default: false
required: false

env:
SIMULATION: native
ENABLE_UNIT_TESTS: true
ENABLE_UNIT_TESTS: ${{inputs.test}}
OMIT_DEPRECATED: true
BUILDTYPE: release
REPO: ${{github.event.repository.name}}

jobs:
#Checks for duplicate actions. Skips push actions if there is a matching or duplicate pull-request action.
Expand All @@ -40,91 +61,77 @@ jobs:
concurrent_skipping: 'same_content'
skip_after_successful_duplicate: 'true'
do_not_skip: '["pull_request", "workflow_dispatch", "schedule"]'
CodeQL-Security-Build:

Analysis:
#Continue if check-for-duplicates found no duplicates. Always runs for pull-requests.
needs: check-for-duplicates
if: ${{ needs.check-for-duplicates.outputs.should_skip != 'true' }}
runs-on: ubuntu-18.04
timeout-minutes: 15

strategy:
fail-fast: false
matrix:
scan-type: [security, coding-standard]

permissions:
security-events: write

steps:
# Checks out a copy of your repository
- name: Checkout code
# Setup Bundle directory
- name: Setup cFS-Bundle directory
if: inputs.component-path == 'cFS'
run:
echo "BUILD_DIRECTORY=${{github.workspace}}" >> $GITHUB_ENV

- name: Checkout ${{ github.repository }}
if: inputs.component-path != 'cFS'
run:
echo "BUILD_DIRECTORY=../cFS" >> $GITHUB_ENV

- name: Checkout ${{ github.repository }}
uses: actions/checkout@v2
with:
repository: nasa/cFS
submodules: true

- name: Check versions
- name: Setup cFS directory
# Not needed when calling this from a "bundle" repository
if: inputs.component-path != 'cFS'
run: |
git log -1 --pretty=oneline
git submodule
cd ..
git clone https://github.com/nasa/cFS.git --recurse-submodules
cd cFS
git log -1 --pretty=oneline
git submodule
rm -r .git
rm -r ${{ inputs.component-path }}
ln -s ${{github.workspace}} ${{ inputs.component-path }}
# Setup the build system
- name: cFS Build Setup
run: |
${{ inputs.setup }}
${{ inputs.prep }}
working-directory: BUILD_DIRECTORY

if: inputs.component-path != 'cFS'

- name: Initialize CodeQL
uses: github/codeql-action/init@v1
with:
languages: c
config-file: nasa/cFS/.github/codeql/codeql-security.yml@main

- name: Copy sample_defs
run: ${{ inputs.setup }}
config-file: nasa/cFS/.github/codeql/codeql-${{matrix.scan-type}}.yml@main

- name: Make prep
run: ${{ inputs.make-prep }}

- name: Make Install
- name: Build
run: ${{ inputs.make }}

- name: Run tests
run: ${{ inputs.tests }}
working-directory: BUILD_DIRECTORY

- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v1

CodeQL-Coding-Standard-Build:
#Continue if check-for-duplicates found no duplicates. Always runs for pull-requests.
needs: check-for-duplicates
if: ${{ needs.check-for-duplicates.outputs.should_skip != 'true' }}
runs-on: ubuntu-18.04
timeout-minutes: 15

steps:
# Checks out a copy of your repository
- name: Checkout code
uses: actions/checkout@v2
with:
repository: nasa/cFS
submodules: true

- name: Check versions
run: |
git log -1 --pretty=oneline
git submodule
- name: Checkout codeql code
uses: actions/checkout@v2
with:
repository: github/codeql
submodules: true
path: codeql
add-snippets: true
category: ${{matrix.scan-type}}

- name: Initialize CodeQL
uses: github/codeql-action/init@v1
- name: Archive Sarif
uses: actions/upload-artifact@v2
with:
languages: c
config-file: nasa/cFS/.github/codeql/codeql-coding-standard.yml@main

- name: Copy sample_defs
run: ${{ inputs.setup }}

- name: Make prep
run: ${{ inputs.make-prep }}

- name: Make Install
run: ${{ inputs.make }}

- name: Run tests
run: ${{ inputs.tests }}

- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v1
name: CodeQL-Sarif-${{ matrix.scan-type }}
path: /home/runner/work/${{env.REPO}}/results/cpp.sarif

0 comments on commit 2c7f4a7

Please sign in to comment.