scenescape/.github/workflows/codeql.yml at 1cc1ab138d94c389177b5ad786b49d0b37cbc2fa · kblaszczak-intel/scenescape · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
---
# SPDX-FileCopyrightText: (C) 2025 Intel Corporation
# SPDX-License-Identifier: Apache-2.0

name: "[Code Analysis] CodeQL"
run-name: "[Code Analysis] CodeQL"
on:
  workflow_dispatch: {}
  pull_request:
    branches:
      - main
      - release-*
    types:
      - opened
      - synchronize
      - reopened
  push:
    branches:
      - main
      - release-*

permissions: {}

jobs:
  detect-languages:
    name: "Detect Changed Languages (except Python and JavaScript)"
    runs-on: ubuntu-latest
    permissions:
      contents: read
    outputs:
      langs: ${{ steps.detect-langs.outputs.langs }}
    steps:
      - name: "Checkout code"
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #6.0.2
        with:
          path: scenescape
          persist-credentials: false
          fetch-depth: 0

      - name: "Detect changed languages"
        working-directory: scenescape
        id: detect-langs
        run: |
          if [ "$(git rev-parse --abbrev-ref HEAD)" != "main" ]; then
            git fetch origin main:main
            echo "Fetched main branch"
          fi
          changed_files=$(git diff --name-only main...$GITHUB_SHA -- '*.yml' '*.yaml' '*.sh' '*.java' '*.ts' || true)
          echo "Performed git diff"

          if [ -z "$changed_files" ]; then
            echo "No relevant changed files detected."
            echo "langs=[]" >> $GITHUB_OUTPUT
            exit 0
          fi
          declare -A langmap=( ["yaml"]=actions ["yml"]=actions ["java"]=java-kotlin ["ts"]=javascript-typescript )
          declare -A langs

          for file in $changed_files; do
            ext="${file##*.}"
            [[ ${langmap[$ext]} ]] && langs[${langmap[$ext]}]=1
          done

          langs_json=$(printf '%s\n' "${!langs[@]}" | sort | jq -R . | jq -s -c .)
          echo "Changed files:"
          echo "$changed_files"
          echo "Detected langs:"
          echo "$langs_json"
          echo "langs=$langs_json" >> $GITHUB_OUTPUT

  analyze:
    name: "CodeQL Analysis on changed files"
    needs: detect-languages
    if: needs.detect-languages.outputs.langs != '[]'
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
      matrix:
        language: ${{ fromJson(needs.detect-languages.outputs.langs) }}
    permissions:
      security-events: write
      actions: read
      contents: read
      packages: read

    steps:
      - name: "Checkout code"
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #6.0.2
        with:
          persist-credentials: false

      - name: "Initialize CodeQL build mode"
        uses: github/codeql-action/init@9e907b5e64f6b83e7804b09294d44122997950d6 # v4.32.3
        with:
          languages: ${{ matrix.language }}
          build-mode: none
          source-root: .

      - name: "Perform CodeQL analysis"
        uses: github/codeql-action/analyze@9e907b5e64f6b83e7804b09294d44122997950d6 # v4.32.3
        with:
          category: "/language:${{matrix.language}}"

      - name: "Generate Security Report"
        uses: rsdmike/github-security-report-action@a149b24539044c92786ec39af8ba38c93496495d # v3.0.4
        with:
          template: report
          token: ${{ secrets.GITHUB_TOKEN }}
          outputDir: codeql-report-${{ matrix.language }}

      - name: "GitHub Upload Release Artifacts"
        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
        with:
          name: codeql-report-${{ matrix.language }}
          path: ./codeql-report-${{ matrix.language }}/report.pdf

  codeql:
    name: "Run CodeQL Analysis on Python and JavaScript"
    permissions:
      security-events: write
      packages: read
      actions: read
      contents: read
    runs-on: ubuntu-latest
    strategy:
      matrix:
        language: [javascript, python] # Add more languages as needed
    steps:
      - name: "Checkout code"
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false

      - name: "Initialize CodeQL"
        uses: github/codeql-action/init@9e907b5e64f6b83e7804b09294d44122997950d6 # v4.32.3
        with:
          languages: ${{ matrix.language }}
          dependency-caching: true

      - name: "Autobuild"
        uses: github/codeql-action/autobuild@9e907b5e64f6b83e7804b09294d44122997950d6 # v4.32.3

      - name: "Perform CodeQL Analysis"
        uses: github/codeql-action/analyze@9e907b5e64f6b83e7804b09294d44122997950d6 # v4.32.3
        with:
          category: "/language:${{ matrix.language }}"

      - name: "Generate Security Report"
        uses: rsdmike/github-security-report-action@a149b24539044c92786ec39af8ba38c93496495d # v3.0.4
        with:
          template: report
          token: ${{ secrets.GITHUB_TOKEN }}
          outputDir: codeql-report-${{ matrix.language }}

      - name: "GitHub Upload Release Artifacts"
        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
        with:
          name: codeql-report-${{ matrix.language }}
          path: ./codeql-report-${{ matrix.language }}/report.pdf