From 6fd8778c7e4086c7fc409c5d2580f01dcd1613bc Mon Sep 17 00:00:00 2001 From: Matteo Merli Date: Wed, 7 Feb 2024 22:31:38 -0800 Subject: [PATCH] Enable CodeQL static code scanner (#4203) --- .github/workflows/codeql.yml | 101 +++++++++++++++++++++++++++++++++++ 1 file changed, 101 insertions(+) create mode 100644 .github/workflows/codeql.yml diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 00000000000..19b6393ee5d --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,101 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# +name: "CodeQL" + +on: + push: + branches: [ "master" ] + pull_request: + branches: [ "master" ] + schedule: + - cron: '27 11 * * 6' + +jobs: + analyze: + name: Analyze + runs-on: 'ubuntu-latest' + timeout-minutes: 360 + permissions: + # required for all workflows + security-events: write + + # only required for workflows in private repositories + actions: read + contents: read + + strategy: + fail-fast: false + matrix: + language: [ 'c-cpp', 'java-kotlin', 'python' ] + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Detect changed files + id: changes + uses: apache/pulsar-test-infra/paths-filter@master + with: + filters: .github/changes-filter.yaml + list-files: csv + + - name: Check changed files + id: check_changes + run: | + echo "docs_only=${{ fromJSON(steps.changes.outputs.all_count) == fromJSON(steps.changes.outputs.docs_count) && fromJSON(steps.changes.outputs.docs_count) > 0 }}" >> $GITHUB_OUTPUT + + - name: Cache local Maven repository + if: steps.check_changes.outputs.docs_only != 'true' + id: cache + uses: actions/cache@v3 + with: + path: | + ~/.m2/repository/*/*/* + !~/.m2/repository/org/apache/bookkeeper + !~/.m2/repository/org/apache/distributedlog + key: ${{ runner.os }}-bookkeeper-all-${{ hashFiles('**/pom.xml') }} + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: ${{ matrix.language }} + + - name: Set up JDK 11 + if: steps.check_changes.outputs.docs_only != 'true' + uses: actions/setup-java@v2 + with: + distribution: 'temurin' + java-version: 11 + + - name: Set up Maven + uses: apache/pulsar-test-infra/setup-maven@master + with: + maven-version: 3.8.7 + + - name: Validate pull request + if: steps.check_changes.outputs.docs_only != 'true' + run: | + mvn -T 1C -B -nsu clean install -Ddistributedlog -DskipTests -Dorg.slf4j.simpleLogger.defaultLogLevel=INFO + + - name: Perform CodeQL Analysis + if: steps.check_changes.outputs.docs_only != 'true' + uses: github/codeql-action/analyze@v3 + with: + category: "/language:${{matrix.language}}"