Merge pull request #338 from bocan/release-please--branches--main #197
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CodeQL | |
| # CodeQL scanning for Swift is a GitHub public preview. It only | |
| # supports building on macOS runners, and has to see a real build | |
| # (not autobuild) to gather call-graph information. | |
| # | |
| # We reuse the same xcodebuild pipeline as CI and let init/analyze | |
| # bracket it. Scheduled weekly plus on every PR into main. | |
| on: | |
| push: | |
| branches: [main] | |
| pull_request: | |
| branches: [main] | |
| schedule: | |
| - cron: "0 6 * * 1" | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| analyze: | |
| name: Analyze (Swift) | |
| runs-on: macos-26 | |
| timeout-minutes: 45 | |
| permissions: | |
| security-events: write | |
| actions: read | |
| contents: read | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v6 | |
| - name: Select Xcode 26 | |
| run: sudo xcode-select -s /Applications/Xcode_26.5.app | |
| - name: Cache SPM packages | |
| uses: actions/cache@v5 | |
| with: | |
| path: | | |
| ~/Library/Developer/Xcode/DerivedData/**/SourcePackages | |
| ~/.swiftpm | |
| key: ${{ runner.os }}-codeql-spm-${{ hashFiles('**/Package.resolved') }} | |
| restore-keys: | | |
| ${{ runner.os }}-codeql-spm- | |
| - name: Install Brewfile dependencies | |
| run: brew bundle | |
| - name: Set pkg-config path for FFmpeg and TagLib | |
| run: | | |
| echo "PKG_CONFIG_PATH=/opt/homebrew/opt/ffmpeg/lib/pkgconfig:/opt/homebrew/opt/taglib/lib/pkgconfig" >> $GITHUB_ENV | |
| - name: Stub Secrets.xcconfig (xcodegen requires it) | |
| env: | |
| ACOUSTID_API_KEY: ${{ secrets.ACOUSTID_API_KEY }} | |
| BOCAN_LASTFM_API_KEY: ${{ secrets.BOCAN_LASTFM_API_KEY }} | |
| BOCAN_LASTFM_SHARED_SECRET: ${{ secrets.BOCAN_LASTFM_SHARED_SECRET }} | |
| run: | | |
| if [ ! -f Secrets.xcconfig ]; then | |
| cp Secrets.xcconfig.template Secrets.xcconfig | |
| fi | |
| # Inject any optional repo secrets that happen to be set. Missing | |
| # secrets just leave the template's empty defaults in place. | |
| if [ -n "$ACOUSTID_API_KEY" ]; then | |
| sed -i '' "s|^ACOUSTID_API_KEY = .*|ACOUSTID_API_KEY = $ACOUSTID_API_KEY|" Secrets.xcconfig | |
| fi | |
| if [ -n "$BOCAN_LASTFM_API_KEY" ]; then | |
| sed -i '' "s|^BOCAN_LASTFM_API_KEY = .*|BOCAN_LASTFM_API_KEY = $BOCAN_LASTFM_API_KEY|" Secrets.xcconfig | |
| fi | |
| if [ -n "$BOCAN_LASTFM_SHARED_SECRET" ]; then | |
| sed -i '' "s|^BOCAN_LASTFM_SHARED_SECRET = .*|BOCAN_LASTFM_SHARED_SECRET = $BOCAN_LASTFM_SHARED_SECRET|" Secrets.xcconfig | |
| fi | |
| - name: Generate Xcode project | |
| run: xcodegen generate | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/init@v4 | |
| with: | |
| languages: swift | |
| queries: security-and-quality | |
| - name: Build (manual) | |
| run: make build | |
| - name: Perform CodeQL Analysis | |
| uses: github/codeql-action/analyze@v4 | |
| with: | |
| category: "/language:swift" |