ci: Add CodeQL analysis workflow configuration #10
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: "CodeQL Advanced" | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| on: | |
| push: | |
| branches: ["main"] | |
| pull_request: | |
| branches: ["main"] | |
| schedule: | |
| - cron: "28 18 * * 0" | |
| jobs: | |
| analyze: | |
| name: Analyze (${{ matrix.language }}) | |
| # Runner size impacts CodeQL analysis time. To learn more, please see: | |
| # - https://gh.io/recommended-hardware-resources-for-running-codeql | |
| # - https://gh.io/supported-runners-and-hardware-resources | |
| # - https://gh.io/using-larger-runners (GitHub.com only) | |
| # Consider using larger runners or machines with greater resources for possible analysis time improvements. | |
| runs-on: ${{ matrix.os }} | |
| permissions: | |
| # required for all workflows | |
| security-events: write | |
| # required to fetch internal or private CodeQL packs | |
| packages: read | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| - language: actions | |
| build-mode: none | |
| os: ubuntu-latest | |
| - language: c-cpp | |
| build-mode: manual | |
| os: macos-latest | |
| - language: java-kotlin | |
| build-mode: none | |
| os: ubuntu-latest | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v6 | |
| # Initializes the CodeQL tools for scanning. | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/init@v4 | |
| with: | |
| languages: ${{ matrix.language }} | |
| build-mode: ${{ matrix.build-mode }} | |
| config: | | |
| paths: | |
| - 'android/src/main/java/**' | |
| - 'ios/Classes/**' | |
| - '.github/workflows/**' | |
| paths-ignore: | |
| - 'example/**' | |
| - name: Set up Flutter for headers | |
| if: matrix.language == 'c-cpp' | |
| uses: ./.github/actions/setup-flutter | |
| - name: Build iOS plugin source files | |
| if: matrix.language == 'c-cpp' | |
| run: | | |
| # Compile only the plugin's Objective-C source files | |
| # CodeQL will trace these compilation commands to analyze the code | |
| cd ios/Classes | |
| # Get Flutter framework path (needed for Flutter.h imports) | |
| FLUTTER_ROOT=$(flutter --version --machine | grep -o '"flutterRoot":"[^"]*' | cut -d'"' -f4) | |
| FLUTTER_FRAMEWORK="$FLUTTER_ROOT/bin/cache/artifacts/engine/ios/Flutter.xcframework/ios-arm64_x86_64-simulator/Flutter.framework" | |
| # Get the iOS SDK path | |
| SDK_PATH=$(xcrun --show-sdk-path --sdk iphonesimulator) | |
| # Compile each .m file so CodeQL can trace and analyze it | |
| # We compile to object files but don't link (no need for full app build) | |
| for file in *.m; do | |
| clang -c "$file" \ | |
| -I. \ | |
| -I"$FLUTTER_FRAMEWORK/Headers" \ | |
| -I"$SDK_PATH/usr/include" \ | |
| -isysroot "$SDK_PATH" \ | |
| -arch arm64 \ | |
| -mios-simulator-version-min=11.0 \ | |
| -fobjc-arc \ | |
| -framework Foundation \ | |
| -F"$SDK_PATH/System/Library/Frameworks" \ | |
| -o "${file%.m}.o" 2>&1 || echo "Note: Compilation of $file had issues (expected for some files)" | |
| done | |
| - name: Perform CodeQL Analysis | |
| uses: github/codeql-action/analyze@v4 | |
| with: | |
| category: "/language:${{matrix.language}}" |