From eadd15900782fc2ab3c40d6cc3e0714174851609 Mon Sep 17 00:00:00 2001
From: "Gerardo E. Cruz-Ortiz" <59618057+astrogeco@users.noreply.github.com>
Date: Tue, 1 Feb 2022 18:19:42 -0500
Subject: [PATCH] Fix #412, resolve error in CodeQL Analyze Action

Fixes errors in CodeQL results uploads step.

Update parameters in CodeQL "reusable" workflow.

BREAKING Interface changes:

- Renames callable workflow to `codeql-reusable.yml`, submodules will
have to be updated
- Adds required `component-path` input parameter
- Repurpose tests input to be a boolean tied to "ENABLE_UNIT_TESTS" flag

Internal changes:

- Use git clone instead of checkout@v2 for the cFS-Bundle
- Use symlink to map calling repo workspace to expected cFS Bundle directory location

- Enable "code snippets" option to CodeQL Analyze action
- Archives sarif files from analysis output
- Removes code duplication by using a matrix build for security and coding standard analyses
- Alphabetizes workflow inputs and order based on "required" flag
---
 .github/workflows/codeql-analysis.yml |  18 ++-
 .github/workflows/codeql-reusable.yml | 155 +++++++++++++-------------
 2 files changed, 91 insertions(+), 82 deletions(-)

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index ee5a9a66e..7f3739fae 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -1,10 +1,22 @@
-name: Reuse CodeQl Analysis
+name: "CodeQL Analysis: cFS-Bundle"
 
 on:
   push:
+    paths-ignore: 
+    - '**/*.md'
+    - '**/*.txt'
+    - '**/*.dox'
+
   pull_request:
+    paths-ignore: 
+    - '**/*.md'
+    - '**/*.txt'
+    - '**/*.dox'
 
 jobs:
   codeql:
-    name: CodeQL Analysis
-    uses: nasa/cFS/.github/workflows/codeql-build.yml@main
\ No newline at end of file
+    uses: astrogeco/cFS/.github/workflows/codeql-reusable.yml@fix-codeql-workflow
+    with: 
+      component-path: cFS
+      make: make -j8
+      test: true
diff --git a/.github/workflows/codeql-reusable.yml b/.github/workflows/codeql-reusable.yml
index 773b7ca2b..569639a09 100644
--- a/.github/workflows/codeql-reusable.yml
+++ b/.github/workflows/codeql-reusable.yml
@@ -1,30 +1,51 @@
-name: "CodeQL Analysis"
+name: "CodeQL Reusable Workflow"
 
 on:
   workflow_call:
     inputs:
-      setup:
-        description: 'Build Prep'
+      # REQUIRED Inputs
+      component-path:
+        description: 'Path to repo being tested in a cFS bundle setup'
         type: string
-        default: 'cp ./cfe/cmake/Makefile.sample Makefile && cp -r ./cfe/cmake/sample_defs sample_defs'
-      make-prep:
-        description: 'Make Prep'
+        required: true
+        default: cFS
+
+      # Optional inputs
+      category:
+        description: 'Analysis Category'
+        required: false
         type: string
-        default: ''
+
       make:
-        description: 'Make Copy'
+        description: 'Build Command'
+        default: '' #Typically `make` or `make install`. Default is blank for workflows that don't need to build source
+        required: false
         type: string
-        default: 'make'      
-      tests: 
-        description: 'Tests'
+
+      prep:
+        description: 'Make Prep'
+        default: make prep
+        required: false
+        type: string
+
+      setup:
+        description: 'Build Prep Commands'
+        type: string
+        default: cp ./cfe/cmake/Makefile.sample Makefile && cp -r ./cfe/cmake/sample_defs sample_defs
+        required: false
+
+      test: 
+        description: 'Value for ENABLE_UNIT_TESTS flag'
         type: string
-        default: ''  
+        default: false 
+        required: false
 
 env:
   SIMULATION: native
-  ENABLE_UNIT_TESTS: true
+  ENABLE_UNIT_TESTS: ${{inputs.test}}
   OMIT_DEPRECATED: true
   BUILDTYPE: release
+  REPO: ${{github.event.repository.name}}
 
 jobs:
   #Checks for duplicate actions. Skips push actions if there is a matching or duplicate pull-request action. 
@@ -40,91 +61,67 @@ jobs:
           concurrent_skipping: 'same_content'
           skip_after_successful_duplicate: 'true'
           do_not_skip: '["pull_request", "workflow_dispatch", "schedule"]'
-          
-  CodeQL-Security-Build:
+
+  Analysis:
     #Continue if check-for-duplicates found no duplicates. Always runs for pull-requests.
     needs: check-for-duplicates
     if: ${{ needs.check-for-duplicates.outputs.should_skip != 'true' }}
     runs-on: ubuntu-18.04
     timeout-minutes: 15
 
+    strategy:
+      fail-fast: false
+      matrix:
+        scan-type: [security, coding-standard]
+
+    permissions:
+      security-events: write
+
     steps:
-      # Checks out a copy of your repository
-      - name: Checkout code
+      # Checks out a copy of calling repository
+      - name: Checkout ${{ github.repository }}
         uses: actions/checkout@v2
-        with:
-          repository: nasa/cFS
-          submodules: true
 
-      - name: Check versions
+      - name: Setup cFS directory
+        # Not needed when calling this from a "bundle" repository
+        if: inputs.component-path != 'cFS'
         run: |
-           git log -1 --pretty=oneline
-           git submodule
-           
+          cd ..
+          git clone https://github.com/nasa/cFS.git --recurse-submodules
+          cd cFS
+          git log -1 --pretty=oneline
+          git submodule
+          rm -r .git
+          rm -r ${{ inputs.component-path }} 
+          ln -s ${{github.workspace}} ${{ inputs.component-path }} 
+
+        # Setup the build system
+      - name: cFS Build Setup
+        run: ${{ inputs.setup }}
+        working-directory: ../cFS
+
+      - name: Prep Build
+        run: ${{ inputs.prep }}
+        working-directory: ../cFS
+
       - name: Initialize CodeQL
         uses: github/codeql-action/init@v1
         with:
           languages: c
-          config-file: nasa/cFS/.github/codeql/codeql-security.yml@main
-          
-      - name: Copy sample_defs
-        run: ${{ inputs.setup }}
+          config-file: nasa/cFS/.github/codeql/codeql-${{matrix.scan-type}}.yml@main
 
-      - name: Make prep
-        run: ${{ inputs.make-prep }}
-      
-      - name: Make Install
+      - name: Build
         run: ${{ inputs.make }}
-
-      - name: Run tests
-        run: ${{ inputs.tests }}
+        working-directory: ../cFS 
 
       - name: Perform CodeQL Analysis
         uses: github/codeql-action/analyze@v1
-        
-  CodeQL-Coding-Standard-Build:
-    #Continue if check-for-duplicates found no duplicates. Always runs for pull-requests.
-    needs: check-for-duplicates
-    if: ${{ needs.check-for-duplicates.outputs.should_skip != 'true' }}
-    runs-on: ubuntu-18.04
-    timeout-minutes: 15
-
-    steps:
-      # Checks out a copy of your repository
-      - name: Checkout code
-        uses: actions/checkout@v2
         with:
-          repository: nasa/cFS
-          submodules: true
+          add-snippets: true
+          category: ${{matrix.scan-type}}
 
-      - name: Check versions
-        run: |
-           git log -1 --pretty=oneline
-           git submodule
-      - name: Checkout codeql code      
-        uses: actions/checkout@v2
+      - name: Archive Sarif
+        uses: actions/upload-artifact@v2
         with:
-          repository: github/codeql 
-          submodules: true 
-          path: codeql
-
-      - name: Initialize CodeQL
-        uses: github/codeql-action/init@v1
-        with:
-          languages: c
-          config-file: nasa/cFS/.github/codeql/codeql-coding-standard.yml@main
-
-      - name: Copy sample_defs
-        run: ${{ inputs.setup }}
-
-      - name: Make prep
-        run: ${{ inputs.make-prep }}
-
-      - name: Make Install
-        run: ${{ inputs.make }}
-
-      - name: Run tests
-        run: ${{ inputs.tests }}
-
-      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v1
\ No newline at end of file
+          name: CodeQL-Sarif-${{ matrix.scan-type }}
+          path: /home/runner/work/${{env.REPO}}/results/cpp.sarif