Add CodeQL analysis #1076

Workflow file for this run

.github/workflows/unit-test.yml at 115dd81

	name: Unit tests CI

	on:
	workflow_dispatch:
	pull_request:
	push:
	branches:
	- main

	permissions: read-all

	jobs:
	tests:
	name: Execute unit tests
	runs-on: ${{ matrix.os }}
	permissions:
	contents: write
	strategy:
	fail-fast: false
	matrix:
	os: [ ubuntu-latest, windows-latest, macos-13 ] # pin macos to latest x64 image
	steps:
	- name: Checkout code changes
	uses: actions/checkout@v5

	- name: Initialize CodeQL
	uses: github/codeql-action/init@v3
	if: runner.os == 'Linux'
	with:
	languages: "java"
	queries: security-and-quality

	- name: Setup FFmpeg
	uses: FedericoCarboni/setup-ffmpeg@v3
	with:
	# bump: ffmpeg-ci /ffmpeg-version: '([\d.]+)'/ docker:mwader/static-ffmpeg\|~7.0
	ffmpeg-version: '7.0.2'

	- name: Setup Java
	uses: actions/setup-java@v5
	with:
	distribution: temurin
	java-version: 25

	- name: Setup project and upload dependency graph
	uses: gradle/actions/setup-gradle@v4
	with:
	dependency-graph: generate-and-submit
	build-scan-publish: true
	build-scan-terms-of-use-url: 'https://gradle.com/help/legal-terms-of-use'
	build-scan-terms-of-use-agree: 'yes'

	- name: Execute tests
	shell: bash
	run: ./gradlew test

	- name: Upload coverage report
	uses: actions/upload-artifact@v4
	if: runner.os == 'Linux'
	with:
	name: coverage_report
	path: build/code-coverage/report.xml
	retention-days: 1
	if-no-files-found: error

	- name: Perform CodeQL analysis
	uses: github/codeql-action/analyze@v3
	if: runner.os == 'Linux'
	with:
	upload: false
	output: build/sarif-results

	- name: Upload CodeQL report
	uses: actions/upload-artifact@v4
	if: runner.os == 'Linux'
	with:
	name: codeql_analysis
	path: build/sarif-results/java.sarif
	retention-days: 1
	if-no-files-found: error

	codeql:
	name: Upload CodeQL analysis
	needs: tests
	runs-on: ubuntu-latest
	permissions:
	checks: write
	security-events: write
	steps:
	- name: Checkout code changes
	uses: actions/checkout@v5
	with:
	ref: ${{ github.event.pull_request.head.sha \|\| github.sha }}
	fetch-depth: 0

	- name: Download coverage report
	uses: actions/download-artifact@v5
	with:
	name: codeql_analysis
	path: build/sarif-results

	- name: Filter SARIF
	uses: advanced-security/filter-sarif@v1
	if: runner.os == 'Linux'
	with:
	patterns: \|
	-.gradle/**
	-/generated/
	input: build/sarif-results/java.sarif
	output: build/sarif-results/java.sarif

	- name: Upload SARIF
	uses: github/codeql-action/upload-sarif@v3
	with:
	sarif_file: build/sarif-results/java.sarif
	category: "/language:java"

	qodana:
	name: Perform Qodana analysis
	if: ${{ vars.QODANA_ENABLED == 'true' }}
	needs: tests
	runs-on: ubuntu-latest
	permissions:
	checks: write
	security-events: write
	steps:
	- name: Checkout code changes
	uses: actions/checkout@v5
	with:
	ref: ${{ github.event.pull_request.head.sha \|\| github.sha }}
	fetch-depth: 0

	- name: Download coverage report
	uses: actions/download-artifact@v5
	with:
	name: coverage_report
	path: .qodana/code-coverage

	- name: Execute analysis
	uses: JetBrains/qodana-action@v2025.2
	env:
	QODANA_TOKEN: ${{ secrets.QODANA_TOKEN }}
	with:
	args: '--baseline,qodana.baseline.json'
	use-caches: false
	post-pr-comment: false
	pr-mode: false

	- name: Upload results to GitHub
	uses: github/codeql-action/upload-sarif@v3
	with:
	sarif_file: ${{ runner.temp }}/qodana/results/qodana.sarif.json

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Add CodeQL analysis #1076

Workflow file

Add CodeQL analysis #1076

Uh oh!

Workflow file for this run