diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 4fd5fa2..c9949dd 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -1,17 +1,21 @@ --- -# This action is centrally managed in https://github.com//.github/ +# This workflow is centrally managed in https://github.com//.github/ # Don't make changes to this file in this repo as they will be overwritten with changes made to the same file in # the above-mentioned repo. # This workflow will analyze all supported languages in the repository using CodeQL Analysis. name: "CodeQL" +permissions: + contents: read on: push: - branches: ["master"] + branches: + - master pull_request: - branches: ["master"] + branches: + - master schedule: - cron: '00 12 * * 0' # every Sunday at 12:00 UTC @@ -22,14 +26,17 @@ concurrency: jobs: languages: name: Get language matrix - runs-on: ubuntu-latest outputs: matrix: ${{ steps.lang.outputs.result }} continue: ${{ steps.continue.outputs.result }} + runs-on: ubuntu-latest steps: + - name: Checkout repository + uses: actions/checkout@v4 + - name: Get repo languages - uses: actions/github-script@v7 id: lang + uses: actions/github-script@v7 with: script: | // CodeQL supports ['cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby', 'swift'] @@ -54,6 +61,22 @@ jobs: // Track languages we've already added to avoid duplicates const addedLanguages = new Set() + // Check if workflow files exist to determine if we should add actions language + const fs = require('fs'); + const hasYmlFiles = fs.existsSync('.github/workflows') && + fs.readdirSync('.github/workflows').some(file => file.endsWith('.yml') || file.endsWith('.yaml')); + + // Add actions language if workflow files exist + if (hasYmlFiles) { + console.log('Found GitHub Actions workflow files. Adding actions to the matrix.'); + matrix['include'].push({ + "category": "/language:actions", + "language": "actions", + "name": "actions", + "os": "ubuntu-latest" + }); + } + for (let [key, value] of Object.entries(response.data)) { // remap language if (remap_languages[key.toLowerCase()]) { @@ -78,11 +101,18 @@ jobs: // set name for matrix let name = osList.length === 1 ? normalizedKey : `${normalizedKey}, ${os}` + // set category for matrix + let category = `/language:${normalizedKey}` + if (normalizedKey === 'cpp') { + category = `/language:cpp-${os.split('-')[0]}` + } + // add to matrix matrix['include'].push({ + "category": category, "language": normalizedKey, - "os": os, - "name": name + "name": name, + "os": os }) } } @@ -94,8 +124,8 @@ jobs: return matrix - name: Continue - uses: actions/github-script@v7 id: continue + uses: actions/github-script@v7 with: script: | // if matrix['include'] is an empty list return false, otherwise true @@ -109,24 +139,22 @@ jobs: analyze: name: Analyze (${{ matrix.name }}) - if: ${{ needs.languages.outputs.continue == 'true' }} + if: needs.languages.outputs.continue == 'true' defaults: run: shell: ${{ matrix.os == 'windows-latest' && 'msys2 {0}' || 'bash' }} env: GITHUB_CODEQL_BUILD: true - needs: [languages] - runs-on: ${{ matrix.os || 'ubuntu-latest' }} - timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }} + needs: languages permissions: actions: read contents: read security-events: write - + runs-on: ${{ matrix.os || 'ubuntu-latest' }} strategy: fail-fast: false matrix: ${{ fromJson(needs.languages.outputs.matrix) }} - + timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }} steps: - name: Maximize build space if: >- @@ -174,8 +202,7 @@ jobs: - third-party # Pre autobuild - # create a file named .codeql-prebuild-${{ matrix.language }}.sh in the root of your repository - # create a file named .codeql-build-${{ matrix.language }}.sh in the root of your repository + # create a file named .codeql-prebuild-${{ matrix.language }}-${{ runner.os }}.sh in the root of your repository - name: Prebuild id: prebuild run: | @@ -194,7 +221,7 @@ jobs: - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v3 with: - category: "/language:${{matrix.language}}" + category: "${{ matrix.category }}" output: sarif-results upload: failure-only @@ -211,6 +238,7 @@ jobs: - name: Upload SARIF uses: github/codeql-action/upload-sarif@v3 with: + category: "${{ matrix.category }}" sarif_file: sarif-results/${{ matrix.language }}.sarif - name: Upload loc as a Build Artifact @@ -218,4 +246,5 @@ jobs: with: name: sarif-results-${{ matrix.language }}-${{ runner.os }} path: sarif-results + if-no-files-found: error retention-days: 1 diff --git a/.github/workflows/common-lint.yml b/.github/workflows/common-lint.yml index 10692ad..524be6f 100644 --- a/.github/workflows/common-lint.yml +++ b/.github/workflows/common-lint.yml @@ -1,16 +1,22 @@ --- -# This action is centrally managed in https://github.com//.github/ +# This workflow is centrally managed in https://github.com//.github/ # Don't make changes to this file in this repo as they will be overwritten with changes made to the same file in # the above-mentioned repo. # Common linting. name: common lint +permissions: + contents: read on: pull_request: - branches: [master] - types: [opened, synchronize, reopened] + branches: + - master + types: + - opened + - synchronize + - reopened concurrency: group: "${{ github.workflow }}-${{ github.ref }}" @@ -77,9 +83,10 @@ jobs: - name: C++ - Clang format lint if: always() && steps.cpp_files.outputs.found_files - uses: DoozyX/clang-format-lint-action@v0.18 + uses: DoozyX/clang-format-lint-action@v0.20 with: source: ${{ steps.cpp_files.outputs.found_files }} + clangFormatVersion: '20' extensions: 'c,cpp,h,hpp,m,mm' style: file inplace: false @@ -263,5 +270,4 @@ jobs: - name: YAML - log if: always() && steps.yamllint.outcome == 'failure' - run: | - cat "${{ steps.yamllint.outputs.logfile }}" >> $GITHUB_STEP_SUMMARY + run: cat "${{ steps.yamllint.outputs.logfile }}" >> $GITHUB_STEP_SUMMARY diff --git a/.github/workflows/issues.yml b/.github/workflows/issues.yml index aec6006..5bd4e88 100644 --- a/.github/workflows/issues.yml +++ b/.github/workflows/issues.yml @@ -1,17 +1,22 @@ --- -# This action is centrally managed in https://github.com//.github/ +# This workflow is centrally managed in https://github.com//.github/ # Don't make changes to this file in this repo as they will be overwritten with changes made to the same file in # the above-mentioned repo. # Label and un-label actions using `../label-actions.yml`. name: Issues +permissions: {} on: issues: - types: [labeled, unlabeled] + types: + - labeled + - unlabeled discussion: - types: [labeled, unlabeled] + types: + - labeled + - unlabeled jobs: label: