Create codeql.yml #2
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| jobs: | ||
| test: | ||
| name: Test on node ${{ matrix.node_version }} and ${{ matrix.os }} | ||
| runs-on: ${{ matrix.os }} | ||
| strategy: | ||
| matrix: | ||
| node_version: ['18.x', '20.x'] | ||
| os: [ubuntu-latest, windows-latest, macOS-latest] | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - name: Use Node.js ${{ matrix.node_version }} | ||
| uses: actions/setup-node@v4 | ||
| with: | ||
| node-version: ${{ matrix.node_version }} | ||
| - name: npm install, build and test | ||
| run: | | ||
| npm install | ||
| npm run build --if-present | ||
| npm test | ||
| For more information, see "Workflow syntax for GitHub Actions." | ||
| Running steps or jobs conditionally | ||
| GitHub Actions supports conditions on steps and jobs using data present in your workflow context. | ||
| For example, to run a step only as part of a push and not in a pull_request, you can specify a condition in the if: property based on the event name: | ||
| steps: | ||
| - run: npm publish | ||
| if: github.event_name == 'push' | ||
| For more information, see "Contexts and expression syntax for GitHub Actions." | ||
| # For most projects, this workflow file will not need changing; you simply need | ||
| # to commit it to your repository. | ||
| # | ||
| # You may wish to alter this file to override the set of languages analyzed, | ||
| # or to provide custom queries or build logic. | ||
| # | ||
| # ******** NOTE ******** | ||
| # We have attempted to detect the languages in your repository. Please check | ||
| # the `language` matrix defined below to confirm you have the correct set of | ||
| # supported CodeQL languages. | ||
| # | ||
| name: "CodeQL" | ||
| on: | ||
| push: | ||
| branches: [ "main" ] | ||
| pull_request: | ||
| branches: [ "main" ] | ||
| schedule: | ||
| - cron: '40 18 * * 5' | ||
| jobs: | ||
| analyze: | ||
| name: Analyze (${{ matrix.language }}) | ||
| # Runner size impacts CodeQL analysis time. To learn more, please see: | ||
| # - https://gh.io/recommended-hardware-resources-for-running-codeql | ||
| # - https://gh.io/supported-runners-and-hardware-resources | ||
| # - https://gh.io/using-larger-runners (GitHub.com only) | ||
| # Consider using larger runners or machines with greater resources for possible analysis time improvements. | ||
| runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} | ||
| timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }} | ||
| permissions: | ||
| # required for all workflows | ||
| security-events: write | ||
| # required to fetch internal or private CodeQL packs | ||
| packages: read | ||
| # only required for workflows in private repositories | ||
| actions: read | ||
| contents: read | ||
| strategy: | ||
| fail-fast: false | ||
| matrix: | ||
| include: | ||
| # CodeQL supports the following values keywords for 'language': 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'swift' | ||
| # Use `c-cpp` to analyze code written in C, C++ or both | ||
| # Use 'java-kotlin' to analyze code written in Java, Kotlin or both | ||
| # Use 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both | ||
| # To learn more about changing the languages that are analyzed or customizing the build mode for your analysis, | ||
| # see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning. | ||
| # If you are analyzing a compiled language, you can modify the 'build-mode' for that language to customize how | ||
| # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages | ||
| steps: | ||
| - name: Checkout repository | ||
| uses: actions/checkout@v4 | ||
| # Initializes the CodeQL tools for scanning. | ||
| - name: Initialize CodeQL | ||
| uses: github/codeql-action/init@v3 | ||
| with: | ||
| languages: ${{ matrix.language }} | ||
| build-mode: ${{ matrix.build-mode }} | ||
| # If you wish to specify custom queries, you can do so here or in a config file. | ||
| # By default, queries listed here will override any specified in a config file. | ||
| # Prefix the list here with "+" to use these queries and those in the config file. | ||
| # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs | ||
| # queries: security-extended,security-and-quality | ||
| # If the analyze step fails for one of the languages you are analyzing with | ||
| # "We were unable to automatically build your code", modify the matrix above | ||
| # to set the build mode to "manual" for that language. Then modify this step | ||
| # to build your code. | ||
| # ℹ️ Command-line programs to run using the OS shell. | ||
| # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun | ||
| - if: matrix.build-mode == 'manual' | ||
| shell: bash | ||
| run: | | ||
| echo 'If you are using a "manual" build mode for one or more of the' \ | ||
| 'languages you are analyzing, replace this with the commands to build' \ | ||
| 'your code, for example:' | ||
| echo ' make bootstrap' | ||
| echo ' make release' | ||
| exit 1 | ||
| - name: Setup Java JDK | ||
| uses: actions/setup-java@v4.2.1 | ||
| with: | ||
| # The Java version to set up. Takes a whole or semver Java version. See examples of supported syntax in README file | ||
| java-version: # optional | ||
| # The path to the `.java-version` file. See examples of supported syntax in README file | ||
| java-version-file: # optional | ||
| # Java distribution. See the list of supported distributions in README file | ||
| distribution: | ||
| # The package type (jdk, jre, jdk+fx, jre+fx) | ||
| java-package: # optional, default is jdk | ||
| # The architecture of the package (defaults to the action runner's architecture) | ||
| architecture: # optional | ||
| # Path to where the compressed JDK is located | ||
| jdkFile: # optional | ||
| # Set this option if you want the action to check for the latest available version that satisfies the version spec | ||
| check-latest: # optional | ||
| # ID of the distributionManagement repository in the pom.xml file. Default is `github` | ||
| server-id: # optional, default is github | ||
| # Environment variable name for the username for authentication to the Apache Maven repository. Default is $GITHUB_ACTOR | ||
| server-username: # optional, default is GITHUB_ACTOR | ||
| # Environment variable name for password or token for authentication to the Apache Maven repository. Default is $GITHUB_TOKEN | ||
| server-password: # optional, default is GITHUB_TOKEN | ||
| # Path to where the settings.xml file will be written. Default is ~/.m2. | ||
| settings-path: # optional | ||
| # Overwrite the settings.xml file if it exists. Default is "true". | ||
| overwrite-settings: # optional, default is true | ||
| # GPG private key to import. Default is empty string. | ||
| gpg-private-key: # optional | ||
| # Environment variable name for the GPG private key passphrase. Default is $GPG_PASSPHRASE. | ||
| gpg-passphrase: # optional | ||
| # Name of the build platform to cache dependencies. It can be "maven", "gradle" or "sbt". | ||
| cache: # optional | ||
| # The path to a dependency file: pom.xml, build.gradle, build.sbt, etc. This option can be used with the `cache` option. If this option is omitted, the action searches for the dependency file in the entire repository. This option supports wildcards and a list of file names for caching multiple dependencies. | ||
| cache-dependency-path: # optional | ||
| # Workaround to pass job status to post job step. This variable is not intended for manual setting | ||
| job-status: # optional, default is ${{ job.status }} | ||
| # The token used to authenticate when fetching version manifests hosted on github.com, such as for the Microsoft Build of OpenJDK. When running this action on github.com, the default value is sufficient. When running on GHES, you can pass a personal access token for github.com if you are experiencing rate limiting. | ||
| token: # optional, default is ${{ github.server_url == 'https://github.com' && github.token || '' }} | ||
| # Name of Maven Toolchain ID if the default name of "${distribution}_${java-version}" is not wanted. See examples of supported syntax in Advanced Usage file | ||
| mvn-toolchain-id: # optional | ||
| # Name of Maven Toolchain Vendor if the default name of "${distribution}" is not wanted. See examples of supported syntax in Advanced Usage file | ||
| mvn-toolchain-vendor: # optional | ||
| - name: Perform CodeQL Analysis | ||
| uses: github/codeql-action/analyze@v3 | ||
| with: | ||
| category: "/language:${{matrix.language}}" | ||
