pleo-io · TheBellman · Apr 19, 2024 · Apr 19, 2024
@@ -0,0 +1,131 @@
+# THIS CODE WAS AUTOGENERATED. DO NOT MODIFY THIS FILE DIRECTLY
+# THE SOURCE CODE LIVES IN A DIFFERENT REPOSITORY:
+#   - centralized-templates
+# FILE STEWARD: @pleo-io/security
+
+name: CodeQL Analysis
+
+on:
+  push:
+    branches:
+      - main
+      - master
+      - develop
+  pull_request:
+    branches:
+      - main
+      - master
+      - develop
+
+env:
+  language_Kotlin: "java"
+  language_Java: "java"
+  language_Go: "go"
+  language_Python: "python"
+  language_JavaScript: "javascript"
+  language_TypeScript: "javascript"
+  WORKING_LANGUAGE: ""
+  CONFIG_FILE: ""
+  RUN_ON_DEFAULT_BRANCH: true
+  GRADLE_SCRIPT_PATH: ./gradlew
+
+jobs:
+  preflight:
+    name: Determine if CodeQL should run
+    runs-on: ubuntu-latest
+    outputs:
+      should_run_analyze: ${{ steps.maybe_skip_analyze.outputs.should_run_analyze }}
+      working_language: ${{steps.working_language_step.outputs.WORKING_LANGUAGE}}
+    steps:
+      - uses: winterjung/split@v2
+        id: split
+        with:
+          msg: ${{ github.repository }}
+          separator: "/"
+      - id: get_default_branch
+        name: Determine our default branch
+        uses: octokit/request-action@v2.x
+        with:
+          route: GET /repos/{owner}/{repo}
+          owner: ${{ github.repository_owner }}
+          repo: ${{ steps.split.outputs._1 }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - id: set_default_branch
+        name: Set our default branch
+        run: echo "DEFAULT_BRANCH=${{ fromJson(steps.get_default_branch.outputs.data).default_branch }}" >> "$GITHUB_ENV"
+      - id: maybe_skip_analyze
+        name: Check if analyze should run
+        shell: bash
+        run: |
+          if [[ "${{ env.RUN_ON_DEFAULT_BRANCH }}" == "false" && "${{ github.ref }}" == "refs/heads/${{ env.DEFAULT_BRANCH }}" && "${{ github.event_name }}" == "push" ]]; then
+            echo "Skipping CodeQL analysis on main branch due to configuration"
+            echo "should_run_analyze=false" >> "$GITHUB_OUTPUT"
+          else
+            echo "Running CodeQL analysis"
+            echo "should_run_analyze=true" >> "$GITHUB_OUTPUT"
+          fi
+      - id: working_language_step
+        name: We check if the repository language is supported by CodeQL
+        run: echo "WORKING_LANGUAGE=${{env[format('language_{0}', github.event.repository.language)]}}" >> "$GITHUB_OUTPUT"
+  analyze-code:
+    name: Analyze code with CodeQL
+    if: ${{ (needs.preflight.outputs.should_run_analyze == 'true') && (needs.preflight.outputs.working_language != '')}}
+    needs: preflight
+    continue-on-error: true
+    runs-on: codeql-runner
+    timeout-minutes: 30
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
+      - name: Set Working Language
+        run: echo "WORKING_LANGUAGE=${{needs.preflight.outputs.working_language}}" >> "$GITHUB_ENV"
+      # Set up a JDK environment for building, testing and releasing.
+      - name: Set up JDK 17
+        uses: actions/setup-java@v4.0.0
+        if: ${{ env.WORKING_LANGUAGE == 'java' }}
+        with:
+          java-version: 17
+          distribution: temurin
+
+      # Allow caching Gradle executions to further speed up CI/CD steps invoking Gradle.
+      - name: Setup Gradle
+        uses: gradle/actions/setup-gradle@v3.1.0
+        if: ${{ env.WORKING_LANGUAGE == 'java' }}
+        with:
+          gradle-version: wrapper
+          cache-read-only: true
+
+      # Set up a Node environment for JS/TS/Node client generation.
+      - name: Set up Node 20
+        uses: actions/setup-node@v4
+        if: ${{ env.WORKING_LANGUAGE == 'javascript' }}
+        with:
+          node-version: 20
+
+      # Initializes the CodeQL tools for scanning.
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: ${{ github.event.repository.language }}
+          ram: 4096
+          queries: security-and-quality
+          tools: latest
+          config-file: ${{ env.CONFIG_FILE }}
+
+      - name: Gradle Build
+        run: ${{ env.GRADLE_SCRIPT_PATH }} classes testClasses --stacktrace -Dorg.gradle.jvmargs=-Xmx4g -Dorg.gradle.parallel=true
+        if: ${{ env.WORKING_LANGUAGE == 'java' }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GH_REGISTRY_GRADLE_TOKEN }}
+          GRADLE_READ_KEY: ${{ secrets.GH_REGISTRY_GRADLE_TOKEN }}
+          JOB_RUNR_REPO_PASSWORD: ${{ secrets.JOB_RUNR_REPO_PASSWORD }}
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v3
+        with:
+          ram: 4096