chore(ci): use new readonly gati role #19688
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: "CodeQL Advanced" | |
| on: | |
| push: | |
| branches: | |
| - develop | |
| - release/* | |
| merge_group: | |
| pull_request: | |
| schedule: | |
| - cron: "22 22 * * 2" | |
| jobs: | |
| analyze: | |
| name: Analyze (${{ matrix.language }}) | |
| needs: [ runner-config ] | |
| runs-on: ${{ matrix.runs-on || 'ubuntu-latest' }} | |
| permissions: | |
| # required for all workflows | |
| security-events: write | |
| # required to fetch internal or private CodeQL packs | |
| packages: read | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| - language: actions | |
| build-mode: none | |
| - language: go | |
| build-mode: manual | |
| runs-on: ${{ needs.runner-config.outputs.go-runner }} | |
| - language: javascript-typescript | |
| build-mode: none | |
| codeql-config: | | |
| paths-ignore: | |
| - 'core/web/assets' | |
| - '**/node_modules/**' | |
| - language: python | |
| build-mode: none | |
| steps: | |
| - name: Enable S3 Cache for Self-Hosted Runners | |
| # these env vars are set (and exposed) when it is a self-hosted runner with extras=s3-cache | |
| if: ${{ env.RUNS_ON_INSTANCE_ID != '' && env.ACTIONS_CACHE_URL != '' }} | |
| uses: runs-on/action@66d4449b717b5462159659523d1241051ff470b9 # v1 | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| - name: Set up Go | |
| if: matrix.language == 'go' | |
| uses: ./.github/actions/setup-go | |
| with: | |
| restore-build-cache-only: ${{ github.event_name != 'push' }} | |
| build-cache-version: "codeql" | |
| - name: Touching core/web/assets/index.html | |
| if: matrix.language == 'go' | |
| run: mkdir -p core/web/assets && touch core/web/assets/index.html | |
| # Initializes the CodeQL tools for scanning. | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/init@v3 | |
| with: | |
| languages: ${{ matrix.language }} | |
| build-mode: ${{ matrix.build-mode }} | |
| config: ${{ matrix.codeql-config || '' }} | |
| # If you wish to specify custom queries, you can do so here or in a config file. | |
| # By default, queries listed here will override any specified in a config file. | |
| # Prefix the list here with "+" to use these queries and those in the config file. | |
| # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs | |
| # queries: security-extended,security-and-quality | |
| - name: Build go code manually | |
| if: matrix.language == 'go' | |
| run: | | |
| echo "::group::Builing all go code (go build ./...)" | |
| go build ./... | |
| echo "::endgroup::" | |
| - name: Perform CodeQL Analysis | |
| uses: github/codeql-action/analyze@v3 | |
| with: | |
| category: "/language:${{matrix.language}}" | |
| runner-config: | |
| name: Runner Config | |
| runs-on: ubuntu-latest | |
| permissions: | |
| pull-requests: read | |
| contents: read | |
| env: | |
| SH_GO_RUNNER: runs-on=${{ github.run_id }}/cpu=32/ram=64/family=c6i/spot=false/extras=s3-cache+tmpfs | |
| GH_GO_RUNNER: ubuntu24.04-8cores-32GB | |
| outputs: | |
| go-runner: ${{ steps.go-codeql.outputs.go-runner }} | |
| steps: | |
| - name: Get PR Labels | |
| id: pr-labels | |
| uses: smartcontractkit/.github/actions/get-pr-labels@get-pr-labels/v1 | |
| with: | |
| check-label: "runs-on-opt-out" | |
| - name: Select runners for go codeql | |
| id: go-codeql | |
| shell: bash | |
| env: | |
| OPT_OUT: ${{ steps.pr-labels.outputs.check-label-found || 'false' }} | |
| run: | | |
| if [[ "$OPT_OUT" == "true" ]]; then | |
| echo "Opt-out is true for current run. Using gh-hosted runner for Go codeql." | |
| echo "go-runner=${GH_GO_RUNNER}" | tee -a $GITHUB_OUTPUT | |
| exit 0 | |
| fi | |
| echo "Opt-out is false for current run. Using self-hosted runner for Go codeql." | |
| echo "go-is-self-hosted=true" | tee -a $GITHUB_OUTPUT | |
| echo "go-runner=${SH_GO_RUNNER}" | tee -a $GITHUB_OUTPUT |