Skip to content

Commit d52e2e7

Browse files
committed
*: new workflow org-codeql
1 parent 4235d31 commit d52e2e7

File tree

5 files changed

+166
-65
lines changed

5 files changed

+166
-65
lines changed

.github/workflows/org-codeql.yml

Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,22 @@
1+
name: CodeQL
2+
on:
3+
workflow_dispatch:
4+
push:
5+
branches: [main, master, staging, development, devel, dev, prod]
6+
pull_request:
7+
types: [opened, synchronize, reopened, ready_for_review]
8+
branches: [main, master, staging, development, devel, dev]
9+
merge_group:
10+
permissions:
11+
contents: read
12+
issues: read
13+
pull-requests: read
14+
jobs:
15+
codeql:
16+
name: codeql
17+
runs-on: ubuntu-latest
18+
strategy:
19+
fail-fast: false
20+
steps:
21+
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
22+
- uses: brave/security-action/actions/codeql@main

action.yml

Lines changed: 3 additions & 65 deletions
Original file line numberDiff line numberDiff line change
@@ -36,9 +36,6 @@ inputs:
3636
debug:
3737
description: enables debug output for this action
3838
required: false
39-
codeql_config:
40-
description: CodeQL configuration config config
41-
default: ./.github/codeql/codeql-config.yml
4239
enabled:
4340
type: boolean
4441
description: may disable the whole action, big red button for emergency cases
@@ -87,14 +84,14 @@ runs:
8784
with:
8885
separator: '\0'
8986
- name: Store reviewdog enabled for PR
90-
if: ${{ inputs.enabled == 'true' && inputs.baseline_scan_only != 'false' && steps.changed-files.outputs.all_changed_files != '' && github.event_name == 'pull_request' && github.event.pull_request.draft == false && github.actor != 'dependabot[bot]' && (!matrix.language || matrix.language == 'generic') }}
87+
if: ${{ inputs.enabled == 'true' && inputs.baseline_scan_only != 'false' && steps.changed-files.outputs.all_changed_files != '' && github.event_name == 'pull_request' && github.event.pull_request.draft == false && github.actor != 'dependabot[bot]' }}
9188
id: reviewdog-enabled-pr
9289
shell: bash
9390
run: |
9491
set -x
9592
echo "result=true" >> $GITHUB_OUTPUT
9693
- name: Store reviewdog enabled for full repo manual run
97-
if: ${{ inputs.enabled == 'true' && !(steps.reviewdog-enabled-pr.outputs.result == 'true') && (inputs.baseline_scan_only == 'false' || github.event_name == 'workflow_dispatch') && (!matrix.language || matrix.language == 'generic') }}
94+
if: ${{ inputs.enabled == 'true' && !(steps.reviewdog-enabled-pr.outputs.result == 'true') && (inputs.baseline_scan_only == 'false' || github.event_name == 'workflow_dispatch') }}
9895
id: reviewdog-enabled-full
9996
shell: bash
10097
run: |
@@ -107,41 +104,6 @@ runs:
107104
run: |
108105
set -x
109106
echo "result=true" >> $GITHUB_OUTPUT
110-
- name: Store if CodeQL should be enabled
111-
id: codeql-enabled
112-
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
113-
env:
114-
LANGUAGE: ${{ matrix.language }}
115-
ENABLED: ${{ inputs.enabled }}
116-
with:
117-
script: |
118-
const query = `
119-
query($owner: String!, $name: String!) {
120-
repository(owner: $owner, name: $name) {
121-
isPrivate
122-
}
123-
}
124-
`;
125-
const variables = {
126-
owner: context.repo.owner,
127-
name: context.repo.repo,
128-
};
129-
const result = await github.graphql(query, variables);
130-
131-
const isPrivate = result.repository.isPrivate;
132-
const isDraft = context.payload.pull_request?.draft;
133-
const isDependabot = context.actor === 'dependabot[bot]';
134-
const isNotGeneric = process.env.LANGUAGE !== "" && process.env.LANGUAGE !== 'generic';
135-
const isEnabled = process.env.ENABLED === 'true';
136-
137-
return isEnabled && !isDraft && !isDependabot && isNotGeneric && !isPrivate;
138-
- name: CodeQL Sanity Check
139-
if: ${{ steps.codeql-enabled.outputs.result != 'true' && steps.codeql-enabled.outputs.result != 'false' }}
140-
shell: bash
141-
run: |
142-
set -x
143-
echo "CodeQL enabled is not a boolean, aborting"
144-
exit 1
145107
# REVIEWDOG Steps
146108
# REVIEWDOG Setup
147109
- name: Write changed files to file
@@ -219,7 +181,7 @@ runs:
219181
console.log("Comments: %d", commentsNumber);
220182
return commentsNumber;
221183
- id: unverified-commits
222-
if: ${{ github.event_name == 'pull_request' && (!matrix.language || matrix.language == 'generic') }}
184+
if: ${{ github.event_name == 'pull_request' }}
223185
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
224186
with:
225187
script: |
@@ -628,27 +590,3 @@ runs:
628590
channel: secops-hotspots
629591
color: green
630592
verbose: true
631-
# CodeQL Steps
632-
- if: ${{ steps.codeql-enabled.outputs.result == 'true' && hashFiles(inputs.codeql_config) }}
633-
name: Initialize CodeQL
634-
uses: github/codeql-action/init@0b21cf2492b6b02c465a3e5d7c473717ad7721ba # v3.23.1
635-
with:
636-
languages: ${{ matrix.language }}
637-
config-file: ${{ inputs.codeql_config }}
638-
- if: ${{ steps.codeql-enabled.outputs.result == 'true' && !hashFiles(inputs.codeql_config)}}
639-
name: Initialize CodeQL (without config)
640-
uses: github/codeql-action/init@0b21cf2492b6b02c465a3e5d7c473717ad7721ba # v3.23.1
641-
with:
642-
languages: ${{ matrix.language }}
643-
- if: ${{ steps.codeql-enabled.outputs.result == 'true' }}
644-
name: Autobuild
645-
uses: github/codeql-action/autobuild@0b21cf2492b6b02c465a3e5d7c473717ad7721ba # v3.23.1
646-
- if: ${{ steps.codeql-enabled.outputs.result == 'true' }}
647-
name: Perform CodeQL Analysis
648-
uses: github/codeql-action/analyze@0b21cf2492b6b02c465a3e5d7c473717ad7721ba # v3.23.1
649-
# - run: echo ${{ inputs.in-name }}
650-
# shell: bash
651-
# - id: output-step-id
652-
# run: echo "output-name=antani" >> $GITHUB_OUTPUT
653-
# shell bash
654-

actions/codeql/action.yml

Lines changed: 95 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,95 @@
1+
name: "CodeQL action"
2+
description: "CodeQL"
3+
inputs:
4+
debug:
5+
description: enables debug output for this action
6+
required: false
7+
enabled:
8+
description: enables this action
9+
required: false
10+
runs:
11+
using: "composite"
12+
steps:
13+
- name: Get changed files
14+
id: changed-files
15+
uses: tj-actions/changed-files@ae82ed4ae04587b665efad2f206578aa6f0e8539 # v42.0.0
16+
with:
17+
separator: '\0'
18+
files: |
19+
**/*.{cpp,c++,hpp,hh,h++,hxx,c,cc,h}
20+
**/*.{sln,csproj,cs,cshtml,xaml}
21+
**/*.go
22+
**/*.java
23+
**/*.kt
24+
**/*.{js,jsx,mjs,es,es6,htm,html,xhtm,xhtml,vue,hbs,ejs,njk,json,yaml,yml,raml,xml}
25+
**/*.py
26+
**/*.{rb,erb,gemspec}
27+
**/Gemfile
28+
**/*.swift
29+
**/*.{ts,tsx,mts,cts}
30+
- name: Store configurations
31+
id: cfg
32+
env:
33+
DEBUG: ${{ (inputs.debug == 'true' || runner.debug) && 'true' || 'false'}}
34+
FILES: ${{ steps.changed-files.outputs.all_changed_and_modified_files }}
35+
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
36+
with:
37+
script: |
38+
var debug = process.env.DEBUG == 'true';
39+
console.log(debug);
40+
if (debug) {
41+
console.log("Initializing CodeQL Action");
42+
}
43+
44+
const { existsSync } = await import('fs');
45+
const { default: getConfig } = await import('${{ github.action_path }}/../../src/getConfig.js');
46+
const { default: getProperties } = await import('${{ github.action_path }}/../../src/getProperties.js');
47+
48+
const query = `
49+
query($owner: String!, $name: String!) {
50+
repository(owner: $owner, name: $name) {
51+
isPrivate
52+
}
53+
}
54+
`;
55+
const variables = {
56+
owner: context.repo.owner,
57+
name: context.repo.repo,
58+
};
59+
const result = await github.graphql(query, variables);
60+
61+
const isPrivate = result.repository.isPrivate;
62+
const isDraft = context.payload.pull_request?.draft;
63+
const isBot = context.actor.endsWith('[bot]');
64+
const isEmptyFiles = process.env.FILES.trim() === '';
65+
66+
const inputs = ${{ toJson(inputs) }};
67+
// delete if empty string in inputs value
68+
Object.keys(inputs).forEach(key => inputs[key] === '' && delete inputs[key]);
69+
70+
const config = await getConfig({owner: context.repo.owner, repo: context.repo.repo, path: '.github/codeql.json', debug, github});
71+
const properties = await getProperties({owner: context.repo.owner, repo: context.repo.repo, debug, github});
72+
73+
const options = Object.assign({
74+
codeql_enabled: (!isDraft && !isBot && !isPrivate && !isEmptyFiles).toString(),
75+
codeql_config_file: existsSync('.github/codeql/codeql-config.yml') ?
76+
'.github/codeql/codeql-config.yml' :
77+
existsSync('${{ github.action_path }}/../../.github/codeql/codeql-config.yml') ?
78+
'${{ github.action_path }}/../../.github/codeql/codeql-config.yml' :
79+
undefined,
80+
}, config, properties, inputs);
81+
82+
if (debug) console.log(`options: ${JSON.stringify(options, null, 2)}`);
83+
84+
return options;
85+
- if: ${{ fromJson(steps.cfg.outputs.result).codeql_enabled == 'true' }}
86+
name: Initialize CodeQL
87+
uses: github/codeql-action/init@0b21cf2492b6b02c465a3e5d7c473717ad7721ba # v3.23.1
88+
with:
89+
config-file: ${{ steps.cfg.outputs.result.codeql_config_file }}
90+
- if: ${{ fromJson(steps.cfg.outputs.result).codeql_enabled == 'true' }}
91+
name: Autobuild
92+
uses: github/codeql-action/autobuild@0b21cf2492b6b02c465a3e5d7c473717ad7721ba # v3.23.1
93+
- if: ${{ fromJson(steps.cfg.outputs.result).codeql_enabled == 'true' }}
94+
name: Perform CodeQL Analysis
95+
uses: github/codeql-action/analyze@0b21cf2492b6b02c465a3e5d7c473717ad7721ba # v3.23.1

src/getConfig.js

Lines changed: 21 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,21 @@
1+
export default async function getConfig({ owner, repo, path, github, githubToken, debug = false }) {
2+
if (!github && githubToken) {
3+
const { Octokit } = await import("@octokit/core");
4+
5+
github = new Octokit({ auth: githubToken })
6+
}
7+
8+
try {
9+
const { data } = await github.rest.repos.getContent({
10+
owner,
11+
repo,
12+
path,
13+
});
14+
const fileContent = Buffer.from(data.content, 'base64').toString('utf8');
15+
if (debug) console.log(fileContent);
16+
return JSON.parse(fileContent);
17+
} catch (err) {
18+
if (debug) console.log(err);
19+
return {};
20+
}
21+
}

src/getProperties.js

Lines changed: 25 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,25 @@
1+
export default async function getProperties({ owner, repo, github, githubToken, debug = false }) {
2+
if (!github && githubToken) {
3+
const { Octokit } = await import("@octokit/core");
4+
5+
github = new Octokit({ auth: githubToken })
6+
}
7+
8+
try {
9+
let properties = await github.request('GET /repos/{owner}/{repo}/properties/values', {
10+
owner: owner,
11+
repo: repo,
12+
headers: {
13+
'X-GitHub-Api-Version': '2022-11-28'
14+
}
15+
});
16+
if (debug) console.log(properties);
17+
return properties.data.reduce((acc, cur) => {
18+
acc[cur.property_name] = cur.value;
19+
return acc;
20+
}, {});
21+
} catch (err) {
22+
console.log(err);
23+
return {};
24+
}
25+
}

0 commit comments

Comments
 (0)