Hotspots CodeQL Build/Publish #2
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: "Hotspots CodeQL Build/Publish" | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| version: | |
| description: "QLPack version" | |
| required: true | |
| jobs: | |
| build: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| packages: write | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| - language: cpp | |
| runner: ubuntu-latest | |
| - language: csharp | |
| runner: ubuntu-latest | |
| - language: go | |
| runner: ubuntu-latest | |
| - language: java | |
| runner: ubuntu-latest-xl | |
| - language: javascript | |
| runner: ubuntu-latest | |
| - language: python | |
| runner: ubuntu-latest | |
| - language: ruby | |
| runner: ubuntu-latest | |
| steps: | |
| - name: Checkout github/codeql | |
| uses: actions/checkout@v2 | |
| with: | |
| path: codeql | |
| repository: github/codeql | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| fetch-depth: 0 | |
| - name: Checkout github/codeql-community-packs | |
| uses: actions/checkout@v2 | |
| with: | |
| path: codeql-community-packs | |
| repository: github/codeql-community-packs | |
| ref: ${{ github.ref }} | |
| - name: Find codeql | |
| id: find-codeql | |
| uses: github/codeql-action/init@aa93aea877e5fb8841bcb1193f672abf6e9f2980 | |
| with: | |
| languages: javascript # does not matter | |
| - name: Initialize CodeQL | |
| id: init | |
| run: | | |
| # Take the most modern version | |
| VERSION="$(find "${{ runner.tool_cache }}/CodeQL/" -maxdepth 1 -mindepth 1 -type d -print \ | |
| | sort \ | |
| | tail -n 1 \ | |
| | tr -d '\n')" | |
| CODEQL="$VERSION/x64/codeql/" | |
| "${CODEQL}"/codeql version --format=json | |
| echo "${CODEQL}" >> $GITHUB_PATH | |
| - name: Create CodeQL config | |
| run: | | |
| mkdir -p ~/.config/codeql | |
| echo '--search-path /home/runner/work/codeql-community-packs/codeql-community-packs/codeql/ql/extractor-pack' >> ~/.config/codeql/config | |
| - name: Install QL extractor | |
| working-directory: codeql/ql | |
| run: | | |
| ./scripts/create-extractor-pack.sh | |
| - name: Patch the CodeQL distro | |
| working-directory: codeql-community-packs | |
| run: | | |
| ls -la "$GITHUB_WORKSPACE/codeql-community-packs/ql/hotspots/Hotspots.ql" | |
| pip install pandas | |
| python scripts/generate-hotspots-queries.py \ | |
| --ql-extractor "$GITHUB_WORKSPACE/codeql/ql/extractor-pack" \ | |
| --ql-path "$GITHUB_WORKSPACE/codeql" | |
| python scripts/patch-codeql.py \ | |
| --hotspots "$GITHUB_WORKSPACE/codeql-community-packs/ql/hotspots/output" \ | |
| --ql "$GITHUB_WORKSPACE/codeql" \ | |
| --dest "$GITHUB_WORKSPACE/codeql-patched" \ | |
| --qlpack-version ${{ inputs.version }} | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Check and publish hotspots lib packs | |
| working-directory: codeql-patched | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| PUBLISHED_VERSION=$(gh api /orgs/githubsecuritylab/packages/container/hotspots-${{ matrix.language }}-all/versions --jq '.[0].metadata.container.tags[0]') | |
| CURRENT_VERSION=$(grep version ${{ matrix.language }}/ql/lib/qlpack.yml | awk '{print $2}') | |
| echo "Published lib version: $PUBLISHED_VERSION" | |
| echo "Local lib version: $CURRENT_VERSION" | |
| if [ "$PUBLISHED_VERSION" != "$CURRENT_VERSION" ]; then | |
| codeql pack install "${{ matrix.language }}/ql/lib" | |
| codeql pack publish "${{ matrix.language }}/ql/lib" | |
| fi | |
| - name: Check and publish hotspots src packs | |
| working-directory: codeql-patched | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| PUBLISHED_VERSION=$(gh api /orgs/githubsecuritylab/packages/container/hotspots-${{ matrix.language }}-queries/versions --jq '.[0].metadata.container.tags[0]') | |
| CURRENT_VERSION=$(grep version ${{ matrix.language }}/ql/src/qlpack.yml | awk '{print $2}') | |
| echo "Published queries version: $PUBLISHED_VERSION" | |
| echo "Local queries version: $CURRENT_VERSION" | |
| if [ "$PUBLISHED_VERSION" != "$CURRENT_VERSION" ]; then | |
| codeql pack install "${{ matrix.language }}/ql/src" | |
| codeql pack publish "${{ matrix.language }}/ql/src" | |
| fi |