diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 82a8c603..cc9a43cb 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -1,49 +1,27 @@ -# For most projects, this workflow file will not need changing; you simply need -# to commit it to your repository. -# -# You may wish to alter this file to override the set of languages analyzed, -# or to provide custom queries or build logic. -# -# ******** NOTE ******** -# We have attempted to detect the languages in your repository. Please check -# the `language` matrix defined below to confirm you have the correct set of -# supported CodeQL languages. -# -name: 'CodeQL' - -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: ${{ github.ref != 'refs/heads/main' }} +name: CodeQL on: - push: - branches: ['main'] - workflow_dispatch: + workflow_call: + inputs: + # CodeQL supports [ 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'swift' ] + language: + description: 'https://aka.ms/codeql-docs/language-support' + required: true + type: string + working-directory: + required: true + type: string jobs: analyze: name: Analyze - # Runner size impacts CodeQL analysis time. To learn more, please see: - # - https://gh.io/recommended-hardware-resources-for-running-codeql - # - https://gh.io/supported-runners-and-hardware-resources - # - https://gh.io/using-larger-runners - # Consider using larger runners for possible analysis time improvements. - runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} - timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }} + runs-on: ubuntu-latest + timeout-minutes: 60 permissions: actions: read contents: read security-events: write - strategy: - fail-fast: false - matrix: - language: ['csharp', 'javascript-typescript'] - # CodeQL supports [ 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'swift' ] - # Use only 'java-kotlin' to analyze code written in Java, Kotlin or both - # Use only 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both - # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support - steps: - name: Checkout repository uses: actions/checkout@v4 @@ -52,7 +30,7 @@ jobs: - name: Initialize CodeQL uses: github/codeql-action/init@v2 with: - languages: ${{ matrix.language }} + languages: ${{ inputs.language }} # If you wish to specify custom queries, you can do so here or in a config file. # By default, queries listed here will override any specified in a config file. # Prefix the list here with "+" to use these queries and those in the config file. @@ -64,6 +42,8 @@ jobs: # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild uses: github/codeql-action/autobuild@v2 + with: + working-directory: ${{inputs.working-directory}} # ℹī¸ Command-line programs to run using the OS shell. # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun @@ -78,4 +58,4 @@ jobs: - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v2 with: - category: '/language:${{matrix.language}}' + category: '/language:${{inputs.language}}' diff --git a/.github/workflows/csharp-bindings-build.yml b/.github/workflows/csharp-bindings-build.yml index 12e9c836..817794c1 100644 --- a/.github/workflows/csharp-bindings-build.yml +++ b/.github/workflows/csharp-bindings-build.yml @@ -17,6 +17,8 @@ on: - 'packages/rust-core/Cargo.toml' - 'packages/rust-core/Cargo.lock' - .github/workflows/csharp-bindings-build.yml + - '.github/workflows/codeql.yml' + push: branches: [main] paths: @@ -25,8 +27,16 @@ on: - 'packages/rust-core/Cargo.toml' - 'packages/rust-core/Cargo.lock' - .github/workflows/csharp-bindings-build.yml + - '.github/workflows/codeql.yml' jobs: + codeql: + name: csharp-bindings-ci-codeql + uses: ./.github/workflows/codeql.yml + with: + language: csharp + working-directory: packages/rust-core/csharp + build: strategy: fail-fast: false diff --git a/.github/workflows/csharp-ci.yml b/.github/workflows/csharp-ci.yml index 52677961..3923e615 100644 --- a/.github/workflows/csharp-ci.yml +++ b/.github/workflows/csharp-ci.yml @@ -11,15 +11,23 @@ on: - 'examples/csharp/**' - 'packages/csharp/**' - '.github/workflows/csharp-ci.yml' + - '.github/workflows/codeql.yml' push: branches: [main] paths: - 'examples/csharp/**' - 'packages/csharp/**' - '.github/workflows/csharp-ci.yml' - + - '.github/workflows/codeql.yml' jobs: + codeql: + name: csharp-ci-codeql + uses: ./.github/workflows/codeql.yml + with: + language: csharp + working-directory: packages/csharp + tests: name: csharp-ci-test runs-on: ${{ matrix.os }} diff --git a/.github/workflows/java-bindings-ci.yml b/.github/workflows/java-bindings-ci.yml index 6f7aecf0..c411a0fb 100644 --- a/.github/workflows/java-bindings-ci.yml +++ b/.github/workflows/java-bindings-ci.yml @@ -13,6 +13,7 @@ on: - 'packages/rust-core/Cargo.toml' - '.github/workflows/java-bindings-ci.yml' - '.github/workflows/java-bindings-build-common.yml' + - '.github/workflows/codeql.yml' push: branches: [main] paths: @@ -21,17 +22,24 @@ on: - 'packages/rust-core/Cargo.toml' - '.github/workflows/java-bindings-ci.yml' - '.github/workflows/java-bindings-build-common.yml' + - '.github/workflows/codeql.yml' defaults: run: working-directory: packages/rust-core/java - env: RUST_BACKTRACE: full CARGO_PROFILE_RELEASE_BUILD_OVERRIDE_DEBUG: true jobs: + codeql: + name: java-bindings-ci-codeql + uses: ./.github/workflows/codeql.yml + with: + language: java-kotlin + working-directory: packages/rust-core/java + lint: runs-on: ubuntu-latest name: java-bindings-ci-lint @@ -82,4 +90,4 @@ jobs: # https://maven.apache.org/guides/mini/guide-reproducible-builds.html#how-to-test-my-maven-build-reproducibility run: ./mvnw verify artifact:compare -D"gpg.skip" env: - MAVEN_OPTS: "-server -Xmx512m -XX:MetaspaceSize=128m -XX:MaxMetaspaceSize=384m -XX:+UseG1GC -XX:+UseStringDeduplication -XX:+TieredCompilation -XX:TieredStopAtLevel=1 -XX:SoftRefLRUPolicyMSPerMB=50 -Djava.awt.headless=true" + MAVEN_OPTS: '-server -Xmx512m -XX:MetaspaceSize=128m -XX:MaxMetaspaceSize=384m -XX:+UseG1GC -XX:+UseStringDeduplication -XX:+TieredCompilation -XX:TieredStopAtLevel=1 -XX:SoftRefLRUPolicyMSPerMB=50 -Djava.awt.headless=true' diff --git a/.github/workflows/kotlin-ci.yml b/.github/workflows/kotlin-ci.yml index b871e93e..54b896a3 100644 --- a/.github/workflows/kotlin-ci.yml +++ b/.github/workflows/kotlin-ci.yml @@ -12,6 +12,7 @@ on: - 'examples/kotlin/**' - 'examples/java/**' - '.github/workflows/kotlin-ci.yml' + - '.github/workflows/codeql.yml' push: branches: [main] paths: @@ -19,6 +20,7 @@ on: - 'examples/kotlin/**' - 'examples/java/**' - '.github/workflows/kotlin-ci.yml' + - '.github/workflows/codeql.yml' defaults: run: @@ -29,6 +31,13 @@ env: WORKING_DIRECTORY: packages/kotlin jobs: + codeql: + name: kotlin-ci-codeql + uses: ./.github/workflows/codeql.yml + with: + language: java-kotlin + working-directory: packages/kotlin + validate: name: kotlin-ci-validate runs-on: ubuntu-latest diff --git a/.github/workflows/nodejs-bindings-ci.yml b/.github/workflows/nodejs-bindings-ci.yml index a65ed443..9340006a 100644 --- a/.github/workflows/nodejs-bindings-ci.yml +++ b/.github/workflows/nodejs-bindings-ci.yml @@ -30,6 +30,7 @@ on: - 'packages/rust-core/package.json' - '.github/workflows/nodejs-bindings-build-common.yml' - '.github/workflows/nodejs-bindings-ci.yml' + - '.github/workflows/codeql.yml' push: branches: [main] paths: @@ -41,8 +42,15 @@ on: - 'packages/rust-core/package.json' - '.github/workflows/nodejs-bindings-build-common.yml' - '.github/workflows/nodejs-bindings-ci.yml' + - '.github/workflows/codeql.yml' jobs: + codeql: + name: nodejs-ci-codeql + uses: ./.github/workflows/codeql.yml + with: + language: javascript-typescript + working-directory: packages/rust-core/nodejs build: name: nodejs-bindings-ci-build uses: ./.github/workflows/nodejs-bindings-build-common.yml diff --git a/.github/workflows/nodejs-ci.yml b/.github/workflows/nodejs-ci.yml index e5205933..152fae9f 100644 --- a/.github/workflows/nodejs-ci.yml +++ b/.github/workflows/nodejs-ci.yml @@ -12,6 +12,7 @@ on: - 'packages/nodejs/**' - '.github/workflows/nodejs-build-common.yml' - '.github/workflows/nodejs-ci.yml' + - '.github/workflows/codeql.yml' push: branches: [main] paths: @@ -19,8 +20,15 @@ on: - 'packages/nodejs/**' - '.github/workflows/nodejs-build-common.yml' - '.github/workflows/nodejs-ci.yml' + - '.github/workflows/codeql.yml' jobs: + codeql: + name: nodejs-ci-codeql + uses: ./.github/workflows/codeql.yml + with: + language: javascript-typescript + working-directory: packages/nodejs build: name: nodejs-ci-build uses: ./.github/workflows/nodejs-build-common.yml