.github/workflows/codeql.yml

   1 name: CodeQL
   2
   3 on:
   4   push:
   5     branches:
   6     - master
   7   pull_request:
   8     # The branches below must be a subset of the branches above
   9     branches:
  10     - master
  11
  12 concurrency:
  13   group: ${{ github.workflow }}-${{ github.ref }}
  14   cancel-in-progress: ${{ github.ref != 'refs/heads/master' }}
  15
  16 jobs:
  17   analyze:
  18     name: Analyze
  19     runs-on: ubuntu-latest
  20     permissions:
  21       actions: read
  22       contents: read
  23       security-events: write
  24
  25     steps:
  26     - name: Checkout
  27       uses: actions/checkout@v4
  28
  29     - name: Setup vcpkg caching
  30       uses: actions/github-script@v7
  31       with:
  32         script: |
  33           core.exportVariable('ACTIONS_CACHE_URL', process.env.ACTIONS_CACHE_URL || '');
  34           core.exportVariable('ACTIONS_RUNTIME_TOKEN', process.env.ACTIONS_RUNTIME_TOKEN || '');
  35           core.exportVariable('VCPKG_BINARY_SOURCES', 'clear;x-gha,readwrite')
  36
  37     - name: Install vcpkg
  38       run: |
  39         git clone https://github.com/microsoft/vcpkg ${{ runner.temp }}/vcpkg
  40         ${{ runner.temp }}/vcpkg/bootstrap-vcpkg.sh -disableMetrics
  41
  42     - name: Install dependencies
  43       run: |
  44         echo "::group::Update apt"
  45         sudo apt-get update
  46         echo "::endgroup::"
  47
  48         echo "::group::Install dependencies"
  49         sudo apt-get install -y --no-install-recommends \
  50           liballegro4-dev \
  51           libcurl4-openssl-dev \
  52           libfontconfig-dev \
  53           libharfbuzz-dev \
  54           libicu-dev \
  55           liblzma-dev \
  56           liblzo2-dev \
  57           libopus-dev \
  58           libopusfile-dev \
  59           libsdl2-dev \
  60           zlib1g-dev \
  61           # EOF
  62
  63         echo "::group::Install vcpkg dependencies"
  64
  65         # Disable vcpkg integration, as we mostly use system libraries.
  66         mv vcpkg.json vcpkg-disabled.json
  67
  68         # We only use breakpad from vcpkg, as its CMake files
  69         # are a bit special. So the Ubuntu's variant doesn't work.
  70         ${{ runner.temp }}/vcpkg/vcpkg install breakpad
  71
  72         echo "::endgroup::"
  73       env:
  74         DEBIAN_FRONTEND: noninteractive
  75
  76     - name: Prepare build
  77       run: |
  78         mkdir build
  79         cd build
  80
  81         echo "::group::CMake"
  82         cmake .. -DCMAKE_TOOLCHAIN_FILE=${{ runner.temp }}/vcpkg/scripts/buildsystems/vcpkg.cmake
  83         echo "::endgroup::"
  84
  85     - name: Initialize CodeQL
  86       uses: github/codeql-action/init@v3
  87       with:
  88         languages: cpp
  89         config-file: ./.github/codeql/codeql-config.yml
  90
  91     - name: Build
  92       run: |
  93         cd build
  94
  95         echo "::group::Build"
  96         echo "Running on $(nproc) cores"
  97         cmake --build . -j $(nproc)
  98         echo "::endgroup::"
  99
 100     - name: Perform CodeQL Analysis
 101       uses: github/codeql-action/analyze@v3
 102       with:
 103         category: /language:cpp
 104         upload: False
 105         output: sarif-results
 106
 107     - name: Filter out table & generated code
 108       uses: advanced-security/filter-sarif@v1
 109       with:
 110         patterns: |
 111           +**/*.*
 112           -**/table/*.*
 113           -**/generated/**/*.*
 114           -**/tests/*.*
 115         input: sarif-results/cpp.sarif
 116         output: sarif-results/cpp.sarif
 117
 118     - name: Upload results
 119       uses: github/codeql-action/upload-sarif@v3
 120       with:
 121         sarif_file: sarif-results/cpp.sarif