CodeQL #525
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: "CodeQL" | |
| on: | |
| push: | |
| branches: [ "master" ] | |
| pull_request: | |
| branches: [ "master" ] | |
| schedule: | |
| - cron: "4 7 * * 1" | |
| jobs: | |
| analyze: | |
| name: Analyze | |
| runs-on: ubuntu-latest | |
| permissions: | |
| actions: read | |
| contents: read | |
| security-events: write | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| language: [ python, cpp ] | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v3 | |
| with: | |
| submodules: true | |
| fetch-depth: 0 | |
| - name: Install Packages (cpp) | |
| if: ${{ matrix.language == 'cpp' }} | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install --yes g++-11 libgmp-dev ninja-build python3-pip | |
| sudo pip3 install z3-solver | |
| - name: Configure (cpp) | |
| if: ${{ matrix.language == 'cpp' }} | |
| # Use Debug mode for faster building | |
| run: | | |
| mkdir -p $GITHUB_WORKSPACE/build | |
| cd $GITHUB_WORKSPACE/build | |
| cmake -G Ninja -DCMAKE_BUILD_TYPE=Debug -DFT_WITH_CUDA=OFF -DFT_WITH_PYTORCH=OFF $GITHUB_WORKSPACE | |
| - name: After Prepare (cpp) | |
| if: ${{ matrix.language == 'cpp' }} | |
| run: | | |
| export CC=gcc-11 && echo "CC=$CC" >> $GITHUB_ENV | |
| export CXX=g++-11 && echo "CXX=$CXX" >> $GITHUB_ENV | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/init@v2 | |
| with: | |
| config-file: ./.github/codeql/codeql-config.yml | |
| languages: ${{ matrix.language }} | |
| - name: Autobuild | |
| uses: github/codeql-action/autobuild@v2 | |
| if: ${{ matrix.language == 'go' || matrix.language == 'python' }} | |
| - name: Build cpp | |
| if: ${{ matrix.language == 'cpp' }} | |
| run: | | |
| cd $GITHUB_WORKSPACE/build | |
| ninja | |
| # `paths-ignore` in `.github/codeql/codeql-config.yml` works for Python but not | |
| # C++. For C++, CodeQL does not support filtering out directories BEFORE analysis, | |
| # but we can filter the results AFTER analysis. The results will still be on the | |
| # GitHub page, but marked as closed. We take the following steps: | |
| # | |
| # - Perform CodeQL Analysis, but not uploading the result. Output it to a directory | |
| # instead. | |
| # - Filter the result with the `advanced-security/filter-sarif` action. (Include | |
| # `build/` because we have files generated by ANTLR, and we use `**/` because we | |
| # have no idea where the environment variable $GITHUB_WORKSPACE refers to). | |
| # - Upload the filtered result. | |
| - name: Perform CodeQL Analysis | |
| uses: github/codeql-action/analyze@v2 | |
| with: | |
| category: "/language:${{ matrix.language }}" | |
| upload: False | |
| output: sarif-results | |
| - name: Filter SARIF | |
| uses: advanced-security/filter-sarif@v1 | |
| with: | |
| patterns: | | |
| -3rd-party/**/* | |
| -test/**/* | |
| -**/build/**/* | |
| input: sarif-results/${{ matrix.language }}.sarif | |
| output: sarif-results/${{ matrix.language }}.sarif | |
| - name: Upload SARIF | |
| uses: github/codeql-action/upload-sarif@v2 | |
| with: | |
| sarif_file: sarif-results/${{ matrix.language }}.sarif |