kibana/.github/workflows/codeql-pr.yml at b743fd27e5d5ff6bd0c2a84df3d20164fa329ee6 · elastic/kibana · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
name: "CodeQL PR"

on:
  pull_request:
    branches: [ "main" ]
    types: [ opened, ready_for_review, synchronize ]
    paths:
      - '**/*.js'
      - '**/*.jsx'
      - '**/*.ts'
      - '**/*.tsx'
      - '**/*.mjs'
      - '**/*.cjs'
      - '.github/codeql/**'

jobs:

  test:
    name: Test CodeQL queries
    runs-on: ubuntu-latest
    if: |
      (contains(fromJSON('["MEMBER", "COLLABORATOR", "CONTRIBUTOR"]'), github.event.pull_request.author_association)
        && toJSON(github.event.pull_request.labels) != '[]'
        && github.event.pull_request.user.type != 'Bot'
        && github.event.pull_request.draft == false
      )
    permissions:
      contents: read

    steps:
    - name: Checkout repository
      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

    - name: Initialize CodeQL
      uses: github/codeql-action/init@f443b600d91635bebf5b0d9ebc620189c0d6fba5 # v4.30.8
      with:
        languages: javascript

    - name: Run CodeQL unit tests
      run: |
        set -euo pipefail
        CODEQL_VERSION=$(ls ${{ runner.tool_cache }}/CodeQL | grep -E '^[0-9]' | head -1)
        export PATH="${{ runner.tool_cache }}/CodeQL/$CODEQL_VERSION/x64/codeql:$PATH"
        # Find all unique test directories containing .qlref files
        mapfile -t TEST_DIRS < <(find .github/codeql/custom-queries -name "*.qlref" -exec dirname {} \; | sort -u)
        if [ "${#TEST_DIRS[@]}" -eq 0 ]; then
          echo "No test directories with .qlref files found. Failing the workflow."
          exit 1
        fi
        for testdir in "${TEST_DIRS[@]}"; do
          echo "Running CodeQL tests in $testdir"
          codeql test run "$testdir" --additional-packs .github/codeql/custom-queries
        done

  analyze:
    name: Analyze javascript
    runs-on: kibana
    if: |
      (contains(fromJSON('["MEMBER", "COLLABORATOR", "CONTRIBUTOR"]'), github.event.pull_request.author_association)
        && toJSON(github.event.pull_request.labels) != '[]'
        && github.event.pull_request.user.type != 'Bot'
        && github.event.pull_request.draft == false
      )
    permissions:
      security-events: write
      packages: read
      actions: read
      contents: read

    strategy:
      fail-fast: false
      matrix:
        language: [ 'javascript' ]
    steps:
    - name: Checkout repository
      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

    - name: Initialize CodeQL
      uses: github/codeql-action/init@f443b600d91635bebf5b0d9ebc620189c0d6fba5 # v4.30.8
      with:
        languages: ${{ matrix.language }}
        config-file: ./.github/codeql/codeql-config.yml
    - name: Perform CodeQL Analysis
      uses: github/codeql-action/analyze@f443b600d91635bebf5b0d9ebc620189c0d6fba5 # v4.30.8
      env:
        CODEQL_EXTRACTOR_JAVASCRIPT_OPTION_SKIP_TYPES: true
      with:
        category: "/language:${{matrix.language}}"