Skip to content

Bump the github-workflows group with 5 updates #5170

Bump the github-workflows group with 5 updates

Bump the github-workflows group with 5 updates #5170

Workflow file for this run

name: CodeQL
on:
workflow_dispatch:
push:
branches:
- master
pull_request:
# The branches below must be a subset of the branches above
branches:
- master
schedule:
# Every Wednesday at 04:20
- cron: 20 4 * * 3
# We set `concurrency` to prevent having this workflow being run on code that is not up-to-date on a PR (a user make multiple push in a quick manner).
# But on the main branch, we don't want that behavior.
# Having the workflow run on each merge commit is something we would like, that could help us where a regression was made and missed by previous checks.
#
# For that we use `head_ref` that is only defined on `pull-request` and fallback to `run_id` (this is a counter, so it's value is unique between workflow call).
concurrency:
group: codeql-${{ github.workflow }}-${{ github.head_ref || github.run_id }}
cancel-in-progress: true
permissions:
contents: read
security-events: write
jobs:
python-analyze:
name: 🐍 Python static code Analysis
runs-on: ubuntu-20.04
env:
poetry-version: 1.5.1
steps:
- name: Checkout repository
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # pin v4.1.1
timeout-minutes: 5
- uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # pin v2.11.1
id: changes
with:
filters: .github/filters/codeql.yml
- name: Check modified path that require `python-analysis` to run
id: should-run-python-analysis
# We want the job to run when:
# - modifying python code
# - in the merge queue
# - on the main branch
if: >-
steps.changes.outputs.python-analyze == 'true'
|| contains(github.ref, 'gh-readonly-queue')
|| github.ref == 'refs/heads/master'
run: echo "run=true" >> $GITHUB_OUTPUT
shell: bash
# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
if: steps.should-run-python-analysis.outputs.run == 'true'
uses: github/codeql-action/init@cdcdbb579706841c47f7063dda365e292e5cad7a # pin v2.13.4
with:
languages: python
setup-python-dependencies: false
# If you wish to specify custom queries, you can do so here or in a config file.
# By default, queries listed here will override any specified in a config file.
# Prefix the list here with "+" to use these queries and those in the config file.
# Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
# queries: security-extended,security-and-quality
- uses: ./.github/actions/setup-python-poetry
if: steps.should-run-python-analysis.outputs.run == 'true'
id: setup-python
with:
poetry-version: ${{ env.poetry-version }}
project-path: ./server
- name: Install python deps
if: steps.should-run-python-analysis.outputs.run == 'true'
run: |
poetry install
poetry run sh -c 'echo "CODEQL_PYTHON=$(which python)"' >> $GITHUB_ENV
working-directory: server
env:
POETRY_LIBPARSEC_BUILD_STRATEGY: no_build
- name: Perform CodeQL Analysis
if: steps.should-run-python-analysis.outputs.run == 'true'
uses: github/codeql-action/analyze@cdcdbb579706841c47f7063dda365e292e5cad7a # pin v2.13.4
with:
category: /language:python
# Disabled till we fix Android with Vite
# see issue: #4395
# java-analyze:
# name: ☕ Java static code Analysis
# runs-on: ubuntu-20.04
# env:
# NDK_VERSION: 23.2.8568313
# SDK_VERSION: 30.0.3
# steps:
# - name: Checkout repository
# uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # pin v4.1.1
# timeout-minutes: 5
# - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # pin v2.11.1
# id: changes
# with:
# filters: .github/filters/codeql.yml
# - name: Check modified path that require `java-analysis` to run
# id: should-run-java-analysis
# if: >-
# steps.changes.outputs.java-analyze == 'true'
# || contains(github.ref, 'gh-readonly-queue')
# || github.ref == 'refs/heads/master'
# run: echo "run=true" >> $GITHUB_OUTPUT
# shell: bash
# - name: Add android cmdline tools to path
# if: steps.should-run-java-analysis.outputs.run == 'true'
# run: echo "$ANDROID_HOME/cmdline-tools/latest/bin" > $GITHUB_PATH
# - name: Install dependencies for Android
# if: steps.should-run-java-analysis.outputs.run == 'true'
# run: sdkmanager --install "ndk;${{ env.NDK_VERSION }}" "build-tools;${{ env.SDK_VERSION }}"
# - name: Install dependencies for ionic project
# if: steps.should-run-java-analysis.outputs.run == 'true'
# run: npm clean-install
# working-directory: client
# - name: Build ionic for Android
# if: steps.should-run-java-analysis.outputs.run == 'true'
# run: |
# npm run android:copy:release
# working-directory: client
# env:
# GRADLE_LIBPARSEC_BUILD_STRATEGY: no_build
# # Initializes the CodeQL tools for scanning.
# - name: Initialize CodeQL
# if: steps.should-run-java-analysis.outputs.run == 'true'
# uses: github/codeql-action/init@cdcdbb579706841c47f7063dda365e292e5cad7a # pin v2.13.4
# with:
# languages: java
# # If you wish to specify custom queries, you can do so here or in a config file.
# # By default, queries listed here will override any specified in a config file.
# # Prefix the list here with "+" to use these queries and those in the config file.
# # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
# # queries: security-extended,security-and-quality
# - name: Autobuild android
# if: steps.should-run-java-analysis.outputs.run == 'true'
# uses: github/codeql-action/autobuild@cdcdbb579706841c47f7063dda365e292e5cad7a # pin v2.13.4
# with:
# working-directory: client/android
# env:
# GRADLE_LIBPARSEC_BUILD_STRATEGY: no_build
# - name: Perform CodeQL Analysis
# if: steps.should-run-java-analysis.outputs.run == 'true'
# uses: github/codeql-action/analyze@cdcdbb579706841c47f7063dda365e292e5cad7a # pin v2.13.4
# with:
# category: /language:java
javascript-analyze:
name: 🌐 Javascript static code Analysis
runs-on: ubuntu-20.04
steps:
- name: Checkout repository
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # pin v4.1.1
timeout-minutes: 5
- uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # pin v2.11.1
id: changes
with:
filters: .github/filters/codeql.yml
- name: Check modified path that require `javascript-analysis` to run
id: should-run-js-analysis
if: >-
steps.changes.outputs.js-analyze == 'true'
|| contains(github.ref, 'gh-readonly-queue')
|| github.ref == 'refs/heads/master'
run: echo "run=true" >> $GITHUB_OUTPUT
shell: bash
# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
if: steps.should-run-js-analysis.outputs.run == 'true'
uses: github/codeql-action/init@cdcdbb579706841c47f7063dda365e292e5cad7a # pin v2.13.4
with:
languages: typescript
- name: Install dependencies for ionic project
if: steps.should-run-js-analysis.outputs.run == 'true'
run: npm clean-install
working-directory: client
- name: Autobuild for typescript
if: steps.should-run-js-analysis.outputs.run == 'true'
uses: github/codeql-action/autobuild@cdcdbb579706841c47f7063dda365e292e5cad7a # pin v2.13.4
with:
working-directory: client
- name: Perform CodeQL Analysis
if: steps.should-run-js-analysis.outputs.run == 'true'
uses: github/codeql-action/analyze@cdcdbb579706841c47f7063dda365e292e5cad7a # pin v2.13.4
with:
category: /language:typescript