ref: Use RunLoop observer for watchdog detection #15787
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CodeQL | |
| on: | |
| push: | |
| branches: [main] | |
| pull_request: | |
| branches: | |
| - main | |
| schedule: | |
| - cron: "40 4 * * 6" # Weekly scheduled run to catch issues regardless of changes | |
| # Concurrency configuration: | |
| # - We use workflow-specific concurrency groups to prevent multiple CodeQL security analysis runs, | |
| # as these are comprehensive security scans that shouldn't run simultaneously. | |
| # - For pull requests, we cancel in-progress runs when new commits are pushed since only the | |
| # latest security analysis results matter for identifying potential vulnerabilities. | |
| # - For main branch pushes and scheduled runs, we never cancel security analysis to ensure | |
| # complete security validation and maintain our security baseline with weekly scheduled scans. | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: ${{ github.event_name == 'pull_request' }} | |
| jobs: | |
| files-changed: | |
| name: Detect File Changes | |
| runs-on: ubuntu-latest | |
| outputs: | |
| run_codeql_analysis_for_prs: ${{ steps.changes.outputs.run_codeql_analysis_for_prs }} | |
| steps: | |
| - uses: actions/checkout@v5 | |
| - name: Get changed files | |
| id: changes | |
| uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2 | |
| with: | |
| token: ${{ github.token }} | |
| filters: .github/file-filters.yml | |
| analyze: | |
| if: github.event_name != 'pull_request' || needs.files-changed.outputs.run_codeql_analysis_for_prs == 'true' | |
| needs: files-changed | |
| name: Analyze (${{ matrix.language }}) | |
| runs-on: macos-14 | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| language: ["cpp"] | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v5 | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/init@v3 | |
| with: | |
| languages: ${{ matrix.language }} | |
| - run: | | |
| set -o pipefail && NSUnbufferedIO=YES xcodebuild \ | |
| -workspace Sentry.xcworkspace \ | |
| -scheme Sentry \ | |
| -configuration Release \ | |
| -destination platform="iOS Simulator,OS=16.4,name=iPhone 14 Pro" \ | |
| build 2>&1 | | |
| tee raw-analyze-output.log | | |
| xcbeautify | |
| - name: Perform CodeQL Analysis | |
| uses: github/codeql-action/analyze@v3 | |
| - name: Run CI Diagnostics | |
| if: failure() | |
| run: ./scripts/ci-diagnostics.sh | |
| # This check validates that either analyze passed or was skipped, which allows us | |
| # to make CodeQL analysis a required check with only running the analysis when required. | |
| # So, we don't have to run CodeQL analysis, for example, for unrelated changes. | |
| codeql_analysis-required-check: | |
| needs: | |
| [ | |
| files-changed, | |
| analyze, | |
| ] | |
| name: Analyze | |
| # This is necessary since a failed/skipped dependent job would cause this job to be skipped | |
| if: always() | |
| runs-on: ubuntu-latest | |
| steps: | |
| # If any jobs we depend on fails gets cancelled or times out, this job will fail. | |
| # Skipped jobs are not considered failures. | |
| - name: Check for failures | |
| if: contains(needs.*.result, 'failure') || contains(needs.*.result, 'cancelled') | |
| run: | | |
| echo "One of the CodeQL analysis jobs has failed." && exit 1 |