-
Notifications
You must be signed in to change notification settings - Fork 1
83 lines (79 loc) · 3.58 KB
/
Copy pathcodeql.yml
File metadata and controls
83 lines (79 loc) · 3.58 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
# Workflow for advanced CodeQL setup used for scanning Java/JavaScript/TypeScript/Vue/Python based source files
name: 🛡️ ☕ 📜 🐍 CodeQL Advanced
env:
# Whether to analyze Java code or not (only set to true if repo has Java source code)
analyze-java: true
# Build mode to use for analysis of Java code (e.g. none, autobuild, manual)
java-buildmode: autobuild
# Temurin JDK version to use for autobuild (only when java-buildmode is set to autobuild)
java-version: 21
# Whether to analyze JavaScript/TypeScript/Vue code or not (only set to true if repo has Javascript/Typescript/Vue source code)
analyze-javascript-typescript-vue: true
# Whether to analyze Python code or not (only set to true if repo has Python source code)
analyze-python: false
# Query set to use when analyzing the source code (e.g. default, security-extended, security-and-quality)
analysis-query: security-and-quality
on:
# Runs on pull requests and on pushes to main (in order to keep the regular scanning by GitHub working)
pull_request:
push:
branches: [main]
permissions:
pull-requests: read
security-events: write
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
check-changes:
name: Check changed files and directories
runs-on: ubuntu-latest
permissions:
pull-requests: read
outputs:
java: ${{ steps.filter.outputs.java }}
javascript-typescript-vue: ${{ steps.filter.outputs.javascript-typescript-vue }}
python: ${{ steps.filter.outputs.python }}
steps:
- name: Checkout repository
uses: it-at-m/lhm_actions/action-templates/actions/action-checkout@877aafa9f0732cbc91819b60d237c351ea88f95c # v1.0.34
- name: Path Filter
id: filter
uses: it-at-m/lhm_actions/action-templates/actions/action-filter@877aafa9f0732cbc91819b60d237c351ea88f95c # v1.0.34
codeql-java:
name: Analyze Java source files
runs-on: ubuntu-latest
needs: check-changes
strategy:
fail-fast: false
matrix:
build-path: ["./zmsautomation"] # java project root containing pom.xml
steps:
- uses: it-at-m/lhm_actions/action-templates/actions/action-codeql@877aafa9f0732cbc91819b60d237c351ea88f95c # v1.0.34
if: ${{ env.analyze-java == 'true' && (github.ref_name == 'main' || needs.check-changes.outputs.java == 'true') }}
with:
codeql-language: java-kotlin
codeql-buildmode: ${{ env.java-buildmode }}
codeql-query: ${{ env.analysis-query }}
java-version: ${{ env.java-version }}
path: ${{ matrix.build-path }}
codeql-javascript-typescript-vue:
name: Analyze JavaScript/TypeScript/Vue source files
runs-on: ubuntu-latest
needs: check-changes
steps:
- uses: it-at-m/lhm_actions/action-templates/actions/action-codeql@877aafa9f0732cbc91819b60d237c351ea88f95c # v1.0.34
if: ${{ env.analyze-javascript-typescript-vue == 'true' && (github.ref_name == 'main' || needs.check-changes.outputs.javascript-typescript-vue == 'true') }}
with:
codeql-language: javascript-typescript
codeql-query: ${{ env.analysis-query }}
codeql-python:
name: Analyze Python source files
runs-on: ubuntu-latest
needs: check-changes
steps:
- uses: it-at-m/lhm_actions/action-templates/actions/action-codeql@877aafa9f0732cbc91819b60d237c351ea88f95c # v1.0.34
if: ${{ env.analyze-python == 'true' && (github.ref_name == 'main' || needs.check-changes.outputs.python == 'true') }}
with:
codeql-language: python
codeql-query: ${{ env.analysis-query }}