curl/.github/workflows/codeql-analysis.yml

# Copyright (C) 2000 - 2022 Daniel Stenberg, <daniel@haxx.se>, et al.
#
# SPDX-License-Identifier: curl

name: CodeQL

on:
  push:
    branches:
    - master
    - '*/ci'
  pull_request:
    branches:
    - master
  schedule:
    - cron: '0 0 * * 4'

concurrency:
  group: ${{ github.workflow }}

permissions:
  security-events: write

jobs:
  codeql:
    runs-on: ubuntu-latest
    steps:
    - name: Checkout repository
      uses: actions/checkout@v3

    # Initializes the CodeQL tools for scanning.
    - name: Initialize CodeQL
      uses: github/codeql-action/init@v2
      with:
        languages: cpp
        queries: security-extended

    # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
    # If this step fails, then you should remove it and run the build manually (see below)
    - name: Autobuild
      uses: github/codeql-action/autobuild@v2

    # ℹ️ Command-line programs to run using the OS shell.
    # 📚 https://git.io/JvXDl

    # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
    #    and modify them (or add more) to build your code if your project
    #    uses a compiled language

    #- run: |
    #   make bootstrap
    #   make release

    - name: Perform CodeQL Analysis
      uses: github/codeql-action/analyze@v2
-												gtihub: codeql-analysis.yml

enables code security scanning with github actions
											
										
										
											2020-06-26 07:06:05 +08:00
+								# Copyright (C) 2000 - 2022 Daniel Stenberg, <daniel@haxx.se>, et al.
-												copyright: make repository REUSE compliant

Add licensing and copyright information for all files in this repository. This
either happens in the file itself as a comment header or in the file
`.reuse/dep5`.

This commit also adds a Github workflow to check pull requests and adapts
copyright.pl to the changes.

Closes #8869

											
										
										
											2022-05-17 17:16:50 +08:00
+								#
 								# SPDX-License-Identifier: curl
-												GHA: align all install, configure and build steps again

First step towards more unified build steps on GitHub Actions.

Closes #8873

											
										
										
											2022-05-18 06:03:16 +08:00
+								name: CodeQL
-												gtihub: codeql-analysis.yml

enables code security scanning with github actions
											
										
										
											2020-06-26 07:06:05 +08:00
 								on:
 								  push:
-												workflows: limit what branches to run CodeQL on

Align CodeQL action with existing CI actions:
- Update branch filter to avoid duplicate CI runs.
- Shorten workflow name due to informative job name.

Reviewed-by: Daniel Stenberg

Closes #5660

											
										
										
											2020-07-13 04:07:38 +08:00
+								    branches:
-												GHA: align all install, configure and build steps again

First step towards more unified build steps on GitHub Actions.

Closes #8873

											
										
										
											2022-05-18 06:03:16 +08:00
+								    - master
 								    - '*/ci'
-												gtihub: codeql-analysis.yml

enables code security scanning with github actions
											
										
										
											2020-06-26 07:06:05 +08:00
+								  pull_request:
-												workflows: limit what branches to run CodeQL on

Align CodeQL action with existing CI actions:
- Update branch filter to avoid duplicate CI runs.
- Shorten workflow name due to informative job name.

Reviewed-by: Daniel Stenberg

Closes #5660

											
										
										
											2020-07-13 04:07:38 +08:00
+								    branches:
-												GHA: align all install, configure and build steps again

First step towards more unified build steps on GitHub Actions.

Closes #8873

											
										
										
											2022-05-18 06:03:16 +08:00
+								    - master
-												gtihub: codeql-analysis.yml

enables code security scanning with github actions
											
										
										
											2020-06-26 07:06:05 +08:00
+								  schedule:
 								    - cron: '0 0 * * 4'
-												CI/GHA: cancel outdated CI runs on new PR changes

Avoid letting outdated CI runs continue if a PR receives
new changes. Outside a PR we let them continue running
by tying the concurrency to the commit hash instead.

Also only let one CodeQL or Hacktoberfest job run at a time.

Other CI platforms we use have this build in, but GitHub
unfortunately neither by default nor with a simple option.

This saves CI resources and therefore a little energy.

Approved-by: Daniel Stenberg
Approved-by: Max Dymond
Closes #9533

											
										
										
											2022-09-18 05:45:32 +08:00
+								concurrency:
 								  group: ${{ github.workflow }}
-												codeql: fix error "Resource not accessible by integration"

- Enable codeql writing security-events.

GitHub set the default permissions to read, apparently since earlier
this year.

Ref: https://github.com/github/codeql-action/issues/464
Ref: https://github.blog/changelog/2021-04-20-github-actions-control-permissions-for-github_token/

Fixes https://github.com/curl/curl/issues/7575
Closes https://github.com/curl/curl/pull/7576

											
										
										
											2021-08-16 12:56:48 +08:00
+								permissions:
 								  security-events: write
-												gtihub: codeql-analysis.yml

enables code security scanning with github actions
											
										
										
											2020-06-26 07:06:05 +08:00
+								jobs:
-												workflows: limit what branches to run CodeQL on

Align CodeQL action with existing CI actions:
- Update branch filter to avoid duplicate CI runs.
- Shorten workflow name due to informative job name.

Reviewed-by: Daniel Stenberg

Closes #5660

											
										
										
											2020-07-13 04:07:38 +08:00
+								  codeql:
-												gtihub: codeql-analysis.yml

enables code security scanning with github actions
											
										
										
											2020-06-26 07:06:05 +08:00
+								    runs-on: ubuntu-latest
 								    steps:
 								    - name: Checkout repository
-												ci: update github actions

- bump actions/checkout from 2 to 3
- bump actions/upload-artifact from 1 to 3
- bump github/codeql-actions from 1 to 2
- use version tag for actions/checkout

Closes #8843

											
										
										
											2022-05-15 05:37:59 +08:00
+								      uses: actions/checkout@v3
-												codeql-analysis.yml: fix the 'languages' setting

It needs a 'with:' in front of it.

											
										
										
											2020-06-26 14:49:23 +08:00
-												gtihub: codeql-analysis.yml

enables code security scanning with github actions
											
										
										
											2020-06-26 07:06:05 +08:00
+								    # Initializes the CodeQL tools for scanning.
 								    - name: Initialize CodeQL
-												ci: update github actions

- bump actions/checkout from 2 to 3
- bump actions/upload-artifact from 1 to 3
- bump github/codeql-actions from 1 to 2
- use version tag for actions/checkout

Closes #8843

											
										
										
											2022-05-15 05:37:59 +08:00
+								      uses: github/codeql-action/init@v2
-												codeql-analysis.yml: fix the 'languages' setting

It needs a 'with:' in front of it.

											
										
										
											2020-06-26 14:49:23 +08:00
+								      with:
 								        languages: cpp
-												github/workflow: add "security-extended" to codeql-analysis.yml

Extends the CodeQL code scan.

Closes #6815

											
										
										
											2021-03-31 07:06:03 +08:00
+								        queries: security-extended
-												gtihub: codeql-analysis.yml

enables code security scanning with github actions
											
										
										
											2020-06-26 07:06:05 +08:00
 								    # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
 								    # If this step fails, then you should remove it and run the build manually (see below)
 								    - name: Autobuild
-												ci: update github actions

- bump actions/checkout from 2 to 3
- bump actions/upload-artifact from 1 to 3
- bump github/codeql-actions from 1 to 2
- use version tag for actions/checkout

Closes #8843

											
										
										
											2022-05-15 05:37:59 +08:00
+								      uses: github/codeql-action/autobuild@v2
-												gtihub: codeql-analysis.yml

enables code security scanning with github actions
											
										
										
											2020-06-26 07:06:05 +08:00
 								    # ℹ️ Command-line programs to run using the OS shell.
 								    # 📚 https://git.io/JvXDl
 								    # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
 								    #    and modify them (or add more) to build your code if your project
 								    #    uses a compiled language
 								    #- run: |
 								    #   make bootstrap
 								    #   make release
 								    - name: Perform CodeQL Analysis
-												ci: update github actions

- bump actions/checkout from 2 to 3
- bump actions/upload-artifact from 1 to 3
- bump github/codeql-actions from 1 to 2
- use version tag for actions/checkout

Closes #8843

											
										
										
											2022-05-15 05:37:59 +08:00
+								      uses: github/codeql-action/analyze@v2