Refactor workflow for CodeQL analysis #72
Conversation
Updated the GitHub Actions workflow to implement CodeQL analysis and adjust job configurations.
There was a problem hiding this comment.
Pull Request Overview
This PR refactors the GitHub Actions workflow to implement CodeQL analysis for security scanning instead of building and publishing binaries. The workflow is transformed from a complex multi-platform build system to a focused security analysis pipeline.
Key changes:
- Replaced build matrix with CodeQL analysis matrix targeting Go, C/C++, and Actions languages
- Simplified workflow steps to focus on CodeQL initialization, building, and analysis
- Removed extensive build, test, and packaging logic for multiple platforms
| - name: Initialize CodeQL | ||
| uses: github/codeql-action/init@v3 | ||
| with: | ||
| languages: ${{ matrix.language }} | ||
| build-mode: ${{ matrix.build-mode }} | ||
| queries: ${{ matrix.language == 'c-cpp' && 'security-extended' || 'security-extended,security-and-quality' }} |
There was a problem hiding this comment.
The ternary operator syntax using && and || in YAML expressions can be confusing and error-prone. Consider using a more explicit conditional structure or separate matrix entries for different query configurations.
| - name: Initialize CodeQL | |
| uses: github/codeql-action/init@v3 | |
| with: | |
| languages: ${{ matrix.language }} | |
| build-mode: ${{ matrix.build-mode }} | |
| queries: ${{ matrix.language == 'c-cpp' && 'security-extended' || 'security-extended,security-and-quality' }} | |
| - name: Set CodeQL queries | |
| id: set-queries | |
| run: | | |
| if [ "${{ matrix.language }}" = "c-cpp" ]; then | |
| echo "queries=security-extended" >> $GITHUB_OUTPUT | |
| else | |
| echo "queries=security-extended,security-and-quality" >> $GITHUB_OUTPUT | |
| fi | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/init@v3 | |
| with: | |
| languages: ${{ matrix.language }} | |
| build-mode: ${{ matrix.build-mode }} | |
| queries: ${{ steps.set-queries.outputs.queries }} |
| uses: github/codeql-action/autobuild@v3 | ||
|
|
||
| - name: Build (manual, for C/C++) | ||
| if: matrix.language == 'c-cpp' && matrix.build-mode != 'autobuild' |
There was a problem hiding this comment.
The condition checks for build-mode != 'autobuild' but the C/C++ matrix entry uses build-mode: manual. Consider using a positive check matrix.build-mode == 'manual' for better clarity and maintainability.
| if: matrix.language == 'c-cpp' && matrix.build-mode != 'autobuild' | |
| if: matrix.language == 'c-cpp' && matrix.build-mode == 'manual' |
| ram: ${{ matrix.ram }} | ||
|
|
||
| - name: Autobuild | ||
| if: matrix.language == 'go' && matrix.build-mode == 'autobuild' |
There was a problem hiding this comment.
This condition is redundant since both Go matrix entries have build-mode: autobuild. The step could simply use if: matrix.language == 'go' for better readability.
| if: matrix.language == 'go' && matrix.build-mode == 'autobuild' | |
| if: matrix.language == 'go' |
Updated the GitHub Actions workflow to implement CodeQL analysis and adjust job configurations.