perf(ci): optimize CodeQL analysis performance with query filtering and path exclusions #44
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: "CodeQL" | |
| on: | |
| push: | |
| branches: [ "main" ] | |
| pull_request: | |
| branches: [ "main" ] | |
| schedule: | |
| - cron: '0 0 * * 0' | |
| jobs: | |
| analyze: | |
| name: Analyze (${{ matrix.language }}) | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 60 | |
| permissions: | |
| # required for all workflows | |
| security-events: write | |
| # required to fetch internal or private CodeQL packs | |
| packages: read | |
| # only required for workflows in private repositories | |
| actions: read | |
| contents: read | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| - language: javascript-typescript | |
| build-mode: none | |
| steps: | |
| - name: Clean up disk space | |
| run: | | |
| echo "Disk space before cleanup:" | |
| df -h | |
| echo "" | |
| echo "Cleaning up unnecessary files to free disk space..." | |
| # Remove large tool directories that aren't needed for JavaScript/TypeScript CodeQL analysis | |
| # These tools will be re-downloaded by GitHub Actions if needed for other jobs | |
| sudo rm -rf /usr/share/dotnet | |
| sudo rm -rf /opt/ghc | |
| sudo rm -rf /usr/local/share/boost | |
| sudo rm -rf /usr/local/lib/android | |
| sudo rm -rf /opt/az | |
| # Remove large tool caches (CodeQL will re-download only what it needs) | |
| sudo rm -rf "$AGENT_TOOLSDIRECTORY" | |
| # Clean up system caches | |
| sudo apt-get clean | |
| sudo rm -rf /var/lib/apt/lists/* | |
| # Remove Docker images if Docker is installed (not needed for CodeQL) | |
| docker system prune -af || true | |
| # Remove pip cache | |
| rm -rf ~/.cache/pip || true | |
| # Remove npm cache (will be recreated during checkout if needed) | |
| npm cache clean --force || true | |
| echo "" | |
| echo "Disk space after cleanup:" | |
| df -h | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| # Initializes the CodeQL tools for scanning. | |
| # Use security-extended query pack for PRs (faster), security-and-quality for main/scheduled (comprehensive) | |
| - name: Initialize CodeQL (PR - security-extended) | |
| if: github.event_name == 'pull_request' | |
| uses: github/codeql-action/init@v4 | |
| with: | |
| languages: ${{ matrix.language }} | |
| build-mode: ${{ matrix.build-mode }} | |
| # Use our custom config file to exclude unnecessary files | |
| config-file: ./.github/codeql/codeql-config.yml | |
| # Use security-extended for faster PR analysis | |
| queries: security-extended | |
| - name: Initialize CodeQL (main/scheduled - security-and-quality) | |
| if: github.event_name != 'pull_request' | |
| uses: github/codeql-action/init@v4 | |
| with: | |
| languages: ${{ matrix.language }} | |
| build-mode: ${{ matrix.build-mode }} | |
| # Use our custom config file to exclude unnecessary files | |
| config-file: ./.github/codeql/codeql-config.yml | |
| # Use security-and-quality for comprehensive analysis on main branch and scheduled runs | |
| queries: security-and-quality | |
| - name: Perform CodeQL Analysis | |
| uses: github/codeql-action/analyze@v4 | |
| with: | |
| category: "/language:${{matrix.language}}" | |