ci: codeql

Signed-off-by: Yuhang Shi <[email protected]>
pleisto · Oct 27, 2023 · 9114a55 · 9114a55
1 parent 87192d1
commit 9114a55
Show file tree

Hide file tree

Showing 7 changed files with 71 additions and 40 deletions.
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -1,49 +1,27 @@
-# For most projects, this workflow file will not need changing; you simply need
-# to commit it to your repository.
-#
-# You may wish to alter this file to override the set of languages analyzed,
-# or to provide custom queries or build logic.
-#
-# ******** NOTE ********
-# We have attempted to detect the languages in your repository. Please check
-# the `language` matrix defined below to confirm you have the correct set of
-# supported CodeQL languages.
-#
-name: 'CodeQL'
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}
+name: CodeQL
 
 on:
-  push:
-    branches: ['main']
-  workflow_dispatch:
+  workflow_call:
+    inputs:
+      # CodeQL supports [ 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'swift' ]
+      language:
+        description: 'https://aka.ms/codeql-docs/language-support'
+        required: true
+        type: string
+      working-directory:
+        required: true
+        type: string
 
 jobs:
   analyze:
     name: Analyze
-    # Runner size impacts CodeQL analysis time. To learn more, please see:
-    #   - https://gh.io/recommended-hardware-resources-for-running-codeql
-    #   - https://gh.io/supported-runners-and-hardware-resources
-    #   - https://gh.io/using-larger-runners
-    # Consider using larger runners for possible analysis time improvements.
-    runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }}
-    timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }}
+    runs-on: ubuntu-latest
+    timeout-minutes: 60
     permissions:
       actions: read
       contents: read
       security-events: write
 
-    strategy:
-      fail-fast: false
-      matrix:
-        language: ['csharp', 'javascript-typescript']
-        # CodeQL supports [ 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'swift' ]
-        # Use only 'java-kotlin' to analyze code written in Java, Kotlin or both
-        # Use only 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both
-        # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
-
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
@@ -52,7 +30,7 @@ jobs:
       - name: Initialize CodeQL
         uses: github/codeql-action/init@v2
         with:
-          languages: ${{ matrix.language }}
+          languages: ${{ inputs.language }}
           # If you wish to specify custom queries, you can do so here or in a config file.
           # By default, queries listed here will override any specified in a config file.
           # Prefix the list here with "+" to use these queries and those in the config file.
@@ -64,6 +42,8 @@ jobs:
       # If this step fails, then you should remove it and run the build manually (see below)
       - name: Autobuild
         uses: github/codeql-action/autobuild@v2
+        with:
+          working-directory: ${{inputs.working-directory}}
 
       # ℹ️ Command-line programs to run using the OS shell.
       # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
@@ -78,4 +58,4 @@ jobs:
       - name: Perform CodeQL Analysis
         uses: github/codeql-action/analyze@v2
         with:
-          category: '/language:${{matrix.language}}'
+          category: '/language:${{inputs.language}}'
diff --git a/.github/workflows/csharp-bindings-build.yml b/.github/workflows/csharp-bindings-build.yml
@@ -17,6 +17,8 @@ on:
       - 'packages/rust-core/Cargo.toml'
       - 'packages/rust-core/Cargo.lock'
       - .github/workflows/csharp-bindings-build.yml
+      - '.github/workflows/codeql.yml'
+
   push:
     branches: [main]
     paths:
@@ -25,8 +27,16 @@ on:
       - 'packages/rust-core/Cargo.toml'
       - 'packages/rust-core/Cargo.lock'
       - .github/workflows/csharp-bindings-build.yml
+      - '.github/workflows/codeql.yml'
 
 jobs:
+  codeql:
+    name: csharp-bindings-ci-codeql
+    uses: ./.github/workflows/codeql.yml
+    with:
+      language: csharp
+      working-directory: packages/rust-core/csharp
+
   build:
     strategy:
       fail-fast: false

diff --git a/.github/workflows/csharp-ci.yml b/.github/workflows/csharp-ci.yml
@@ -11,15 +11,23 @@ on:
       - 'examples/csharp/**'
       - 'packages/csharp/**'
       - '.github/workflows/csharp-ci.yml'
+      - '.github/workflows/codeql.yml'
   push:
     branches: [main]
     paths:
       - 'examples/csharp/**'
       - 'packages/csharp/**'
       - '.github/workflows/csharp-ci.yml'
-
+      - '.github/workflows/codeql.yml'
 
 jobs:
+  codeql:
+    name: csharp-ci-codeql
+    uses: ./.github/workflows/codeql.yml
+    with:
+      language: csharp
+      working-directory: packages/csharp
+
   tests:
     name: csharp-ci-test
     runs-on: ${{ matrix.os }}

diff --git a/.github/workflows/java-bindings-ci.yml b/.github/workflows/java-bindings-ci.yml
@@ -13,6 +13,7 @@ on:
       - 'packages/rust-core/Cargo.toml'
       - '.github/workflows/java-bindings-ci.yml'
       - '.github/workflows/java-bindings-build-common.yml'
+      - '.github/workflows/codeql.yml'
   push:
     branches: [main]
     paths:
@@ -21,17 +22,24 @@ on:
       - 'packages/rust-core/Cargo.toml'
       - '.github/workflows/java-bindings-ci.yml'
       - '.github/workflows/java-bindings-build-common.yml'
+      - '.github/workflows/codeql.yml'
 
 defaults:
   run:
     working-directory: packages/rust-core/java
 
-
 env:
   RUST_BACKTRACE: full
   CARGO_PROFILE_RELEASE_BUILD_OVERRIDE_DEBUG: true
 
 jobs:
+  codeql:
+    name: java-bindings-ci-codeql
+    uses: ./.github/workflows/codeql.yml
+    with:
+      language: java-kotlin
+      working-directory: packages/rust-core/java
+
   lint:
     runs-on: ubuntu-latest
     name: java-bindings-ci-lint
@@ -82,4 +90,4 @@ jobs:
         # https://maven.apache.org/guides/mini/guide-reproducible-builds.html#how-to-test-my-maven-build-reproducibility
         run: ./mvnw verify artifact:compare -D"gpg.skip"
         env:
-          MAVEN_OPTS: "-server -Xmx512m -XX:MetaspaceSize=128m -XX:MaxMetaspaceSize=384m -XX:+UseG1GC -XX:+UseStringDeduplication -XX:+TieredCompilation -XX:TieredStopAtLevel=1 -XX:SoftRefLRUPolicyMSPerMB=50 -Djava.awt.headless=true"
+          MAVEN_OPTS: '-server -Xmx512m -XX:MetaspaceSize=128m -XX:MaxMetaspaceSize=384m -XX:+UseG1GC -XX:+UseStringDeduplication -XX:+TieredCompilation -XX:TieredStopAtLevel=1 -XX:SoftRefLRUPolicyMSPerMB=50 -Djava.awt.headless=true'
diff --git a/.github/workflows/kotlin-ci.yml b/.github/workflows/kotlin-ci.yml
@@ -12,13 +12,15 @@ on:
       - 'examples/kotlin/**'
       - 'examples/java/**'
       - '.github/workflows/kotlin-ci.yml'
+      - '.github/workflows/codeql.yml'
   push:
     branches: [main]
     paths:
       - 'packages/kotlin/**'
       - 'examples/kotlin/**'
       - 'examples/java/**'
       - '.github/workflows/kotlin-ci.yml'
+      - '.github/workflows/codeql.yml'
 
 defaults:
   run:
@@ -29,6 +31,13 @@ env:
   WORKING_DIRECTORY: packages/kotlin
 
 jobs:
+  codeql:
+    name: kotlin-ci-codeql
+    uses: ./.github/workflows/codeql.yml
+    with:
+      language: java-kotlin
+      working-directory: packages/kotlin
+
   validate:
     name: kotlin-ci-validate
     runs-on: ubuntu-latest

diff --git a/.github/workflows/nodejs-bindings-ci.yml b/.github/workflows/nodejs-bindings-ci.yml
@@ -30,6 +30,7 @@ on:
       - 'packages/rust-core/package.json'
       - '.github/workflows/nodejs-bindings-build-common.yml'
       - '.github/workflows/nodejs-bindings-ci.yml'
+      - '.github/workflows/codeql.yml'
   push:
     branches: [main]
     paths:
@@ -41,8 +42,15 @@ on:
       - 'packages/rust-core/package.json'
       - '.github/workflows/nodejs-bindings-build-common.yml'
       - '.github/workflows/nodejs-bindings-ci.yml'
+      - '.github/workflows/codeql.yml'
 
 jobs:
+  codeql:
+    name: nodejs-ci-codeql
+    uses: ./.github/workflows/codeql.yml
+    with:
+      language: javascript-typescript
+      working-directory: packages/rust-core/nodejs
   build:
     name: nodejs-bindings-ci-build
     uses: ./.github/workflows/nodejs-bindings-build-common.yml
diff --git a/.github/workflows/nodejs-ci.yml b/.github/workflows/nodejs-ci.yml
@@ -12,15 +12,23 @@ on:
       - 'packages/nodejs/**'
       - '.github/workflows/nodejs-build-common.yml'
       - '.github/workflows/nodejs-ci.yml'
+      - '.github/workflows/codeql.yml'
   push:
     branches: [main]
     paths:
       - 'yarn.lock'
       - 'packages/nodejs/**'
       - '.github/workflows/nodejs-build-common.yml'
       - '.github/workflows/nodejs-ci.yml'
+      - '.github/workflows/codeql.yml'
 
 jobs:
+  codeql:
+    name: nodejs-ci-codeql
+    uses: ./.github/workflows/codeql.yml
+    with:
+      language: javascript-typescript
+      working-directory: packages/nodejs
   build:
     name: nodejs-ci-build
     uses: ./.github/workflows/nodejs-build-common.yml