Skip to content
This repository has been archived by the owner on Jan 20, 2025. It is now read-only.

Commit

Permalink
Feat CI CodeQL
Browse files Browse the repository at this point in the history 
- [+] feat(codeql.yml): add CodeQL workflow for CI/CD pipeline with unit testing and analysis
  • Loading branch information
@H0llyW00dzZ
H0llyW00dzZ committed Dec 6, 2023
1 parent 58af6a0 commit 89119cb
Showing 1 changed file with 173 additions and 0 deletions.
173 changes: 173 additions & 0 deletions .github/workflows/codeql.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,173 @@
############################
# Author : H0llyW00dzZ #
############################
name: "CI: CodeQL Unit Testing Advanced"

on:
push:
# modify this branch
branches:
- main
paths-ignore:
- '**.md'
- '.github/workflows/**'
pull_request:
branches:
- main
paths-ignore:
- '**.md'
- '.github/workflows/**'
types: [opened, reopened, synchronize]

schedule:
- cron: '0 0 * * *'

# allows you to run this workflow manually
# Adding an `inputs` section to the `workflow_dispatch` event to define a new input parameter called `branch`
workflow_dispatch:
inputs:
branch:
description: 'Branch to scan'
required: true
default: 'main'

jobs:
analyze:
name: Analyze
runs-on: ${{ matrix.language == 'swift' && 'macos-latest' || 'ubuntu-latest' }}
timeout-minutes: ${{ matrix.language == 'swift' && 120 || 360 }}

permissions:
actions: read
contents: read
pull-requests: write
deployments: read
security-events: write

strategy:
fail-fast: false
matrix:
# this can be modified example if your repo is only python then remove 'javascript', 'go'
language: ['go']

steps:
- name: Checkout repository
uses: actions/checkout@v3
with:
ref: ${{ github.event.inputs.branch }}

- name: Detect repository language
id: detect-language
run: |
echo "languages=${{ matrix.language }}" >> $GITHUB_ENV
echo "fileExists=true" >> $GITHUB_ENV
- name: Set up Python
if: ${{ matrix.language == 'python' }}
uses: actions/setup-python@v4
with:
python-version: '3.x'
env:
NODE_VERSION: 18

- name: Install Python dependencies
if: ${{ matrix.language == 'python' && matrix.fileExists }}
run: python -m pip install --upgrade pip && pip install -r requirements.txt
# github need to fix this confusing alias javascript-typescript, because in the end are javascript LMAO
- name: Set up JavaScript/TypeScript
if: ${{ matrix.language == 'javascript' }}
uses: actions/setup-node@v4
with:
node-version: '18'
# note: this useless only for compiled language
- name: Install JavaScript/TypeScript dependencies
if: ${{ matrix.language == 'javascript' && matrix.fileExists }}
run: npm ci

- name: Set up Go
if: ${{ matrix.language == 'go' }}
uses: actions/setup-go@v4
with:
go-version: '1.21.3'
env:
NODE_VERSION: 18

- name: Install Go dependencies
if: ${{ matrix.language == 'go' && matrix.fileExists }}
run: go mod download

# Get CodeQL config from gist
- name: Get config from gist
run: |
mkdir -p .github/codeql
curl -o .github/codeql/codeql-config.yml https://gist.githubusercontent.com/H0llyW00dzZ/230f3422c3be901915f2802d3a3314b1/raw/dbdae057dfeabc6af42d5322c948f563dc8277a1/codeql-config.yml
- name: Initialize CodeQL
id: InitCodeQL
uses: github/codeql-action/init@v2
with:
# Configuration for init codeQL
languages: ${{ env.languages }}
config-file: ./.github/codeql/codeql-config.yml

# Attempt to automatically build code for compiled languages
# Currently only for Go, but more can be added later
- name: Attempt to automatically build code for ${{ matrix.language }}
if: ${{ matrix.language == 'go' }}
uses: github/codeql-action/autobuild@v2

- name: Perform CodeQL-Security Analysis
if: ${{ env.languages != '' }}
id: CodeQL
uses: github/codeql-action/analyze@v2
with:
# disable default upload because using multiple method
upload: false
# snippets for SARIF file
add-snippets: true

- name: Upload ${{ matrix.language }} SARIF for Analysis Result
if: ${{ matrix.language && env.languages != '' }}
id: upload-Analysis_Result-sarif
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: ${{ runner.workspace }}/results/${{ matrix.language }}.sarif
category: "Analysis Result: ${{ matrix.language }}"

# since it public everyone can see in artifact about Analysis Result
# just for incase you can disable this later by block #

- name: Encrypt Analysis Result
if: ${{ matrix.language && env.languages != '' }}
id: Encrypt_Analysis
run: |
curl -sSL "https://github.com/${{ github.repository_owner }}.gpg" -o keyfile
gpg --import keyfile
gpg --encrypt --recipient "$(gpg --list-keys --keyid-format LONG | grep '^pub' | awk '{print $2}' | awk -F'/' '{print $2}')" --trust-model always "${{ runner.workspace }}/results/${{ matrix.language }}.sarif"
- name: Upload Analysis Result As Artifact
uses: actions/upload-artifact@v3
with:
name: Analysis_Result (SARIF + Encrypted)
path: ${{ runner.workspace }}/results/${{ matrix.language }}.sarif.gpg

- name: Check CodeQL Unit Testing status
if: ${{github.event_name == 'pull_request' }}
id: check-status
run: |
if [ -f "${{ runner.workspace }}/results/${{ matrix.language }}.sarif.gpg" ]; then
echo "codeql_status=done" >> $GITHUB_STATE
echo "codeql_status=done" >> $GITHUB_OUTPUT
echo "pull_request_number=${{ github.event.pull_request.number }}" >> $GITHUB_STATE
echo "pull_request_number=${{ github.event.pull_request.number }}" >> $GITHUB_OUTPUT
else
echo "codeql_status=pending" >> $GITHUB_STATE
echo "codeql_status=pending" >> $GITHUB_OUTPUT
fi
- name: PR comment
if: ${{ steps.check-status.outputs.codeql_status == 'done' && github.event_name == 'pull_request' }}
uses: NejcZdovc/comment-pr@v2
with:
message: "CodeQL analysis is complete for PR #${{ steps.check-status.outputs.pull_request_number }}"
github_token: ${{ secrets.GITHUB_TOKEN }}

0 comments on commit 89119cb

Please sign in to comment.