Bump the github-workflows group with 3 updates #8181
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: CodeQL | |
on: | |
workflow_dispatch: | |
push: | |
branches: | |
- master | |
pull_request: | |
# The branches below must be a subset of the branches above | |
branches: | |
- master | |
schedule: | |
# Every Wednesday at 04:20 | |
- cron: 20 4 * * 3 | |
# We set `concurrency` to prevent having this workflow being run on code that is not up-to-date on a PR (a user make multiple push in a quick manner). | |
# But on the main branch, we don't want that behavior. | |
# Having the workflow run on each merge commit is something we would like, that could help us where a regression was made and missed by previous checks. | |
# | |
# For that we use `head_ref` that is only defined on `pull-request` and fallback to `run_id` (this is a counter, so it's value is unique between workflow call). | |
concurrency: | |
group: codeql-${{ github.workflow }}-${{ github.head_ref || github.run_id }} | |
cancel-in-progress: true | |
permissions: | |
contents: read | |
security-events: write | |
jobs: | |
python-analyze: | |
name: 🐍 Python static code Analysis | |
runs-on: ubuntu-20.04 | |
env: | |
poetry-version: 1.5.1 | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # pin v4.1.2 | |
timeout-minutes: 5 | |
- uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # pin v3.0.2 | |
id: changes | |
with: | |
filters: .github/filters/codeql.yml | |
- name: Check modified path that require `python-analysis` to run | |
id: should-run-python-analysis | |
# We want the job to run when: | |
# - modifying python code | |
# - in the merge queue | |
# - on the main branch | |
if: >- | |
steps.changes.outputs.python-analyze == 'true' | |
|| contains(github.ref, 'gh-readonly-queue') | |
|| github.ref == 'refs/heads/master' | |
run: echo "run=true" >> $GITHUB_OUTPUT | |
shell: bash | |
# Initializes the CodeQL tools for scanning. | |
- name: Initialize CodeQL | |
if: steps.should-run-python-analysis.outputs.run == 'true' | |
uses: github/codeql-action/init@cdcdbb579706841c47f7063dda365e292e5cad7a # pin v2.13.4 | |
with: | |
languages: python | |
setup-python-dependencies: false | |
# If you wish to specify custom queries, you can do so here or in a config file. | |
# By default, queries listed here will override any specified in a config file. | |
# Prefix the list here with "+" to use these queries and those in the config file. | |
# Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs | |
# queries: security-extended,security-and-quality | |
- uses: ./.github/actions/setup-python-poetry | |
if: steps.should-run-python-analysis.outputs.run == 'true' | |
id: setup-python | |
with: | |
poetry-version: ${{ env.poetry-version }} | |
project-path: ./server | |
- name: Install python deps | |
if: steps.should-run-python-analysis.outputs.run == 'true' | |
run: | | |
poetry install | |
poetry run sh -c 'echo "CODEQL_PYTHON=$(which python)"' >> $GITHUB_ENV | |
working-directory: server | |
env: | |
POETRY_LIBPARSEC_BUILD_STRATEGY: no_build | |
- name: Perform CodeQL Analysis | |
if: steps.should-run-python-analysis.outputs.run == 'true' | |
uses: github/codeql-action/analyze@cdcdbb579706841c47f7063dda365e292e5cad7a # pin v2.13.4 | |
with: | |
category: /language:python | |
# Disabled till we fix Android with Vite | |
# see issue: #4395 | |
# java-analyze: | |
# name: ☕ Java static code Analysis | |
# runs-on: ubuntu-20.04 | |
# env: | |
# NDK_VERSION: 23.2.8568313 | |
# SDK_VERSION: 30.0.3 | |
# steps: | |
# - name: Checkout repository | |
# uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # pin v4.1.2 | |
# timeout-minutes: 5 | |
# - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # pin v3.0.2 | |
# id: changes | |
# with: | |
# filters: .github/filters/codeql.yml | |
# - name: Check modified path that require `java-analysis` to run | |
# id: should-run-java-analysis | |
# if: >- | |
# steps.changes.outputs.java-analyze == 'true' | |
# || contains(github.ref, 'gh-readonly-queue') | |
# || github.ref == 'refs/heads/master' | |
# run: echo "run=true" >> $GITHUB_OUTPUT | |
# shell: bash | |
# - name: Add android cmdline tools to path | |
# if: steps.should-run-java-analysis.outputs.run == 'true' | |
# run: echo "$ANDROID_HOME/cmdline-tools/latest/bin" > $GITHUB_PATH | |
# - name: Install dependencies for Android | |
# if: steps.should-run-java-analysis.outputs.run == 'true' | |
# run: sdkmanager --install "ndk;${{ env.NDK_VERSION }}" "build-tools;${{ env.SDK_VERSION }}" | |
# - name: Install dependencies for ionic project | |
# if: steps.should-run-java-analysis.outputs.run == 'true' | |
# run: npm clean-install | |
# working-directory: client | |
# - name: Build ionic for Android | |
# if: steps.should-run-java-analysis.outputs.run == 'true' | |
# run: | | |
# npm run android:copy:release | |
# working-directory: client | |
# env: | |
# GRADLE_LIBPARSEC_BUILD_STRATEGY: no_build | |
# # Initializes the CodeQL tools for scanning. | |
# - name: Initialize CodeQL | |
# if: steps.should-run-java-analysis.outputs.run == 'true' | |
# uses: github/codeql-action/init@cdcdbb579706841c47f7063dda365e292e5cad7a # pin v2.13.4 | |
# with: | |
# languages: java | |
# # If you wish to specify custom queries, you can do so here or in a config file. | |
# # By default, queries listed here will override any specified in a config file. | |
# # Prefix the list here with "+" to use these queries and those in the config file. | |
# # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs | |
# # queries: security-extended,security-and-quality | |
# - name: Autobuild android | |
# if: steps.should-run-java-analysis.outputs.run == 'true' | |
# uses: github/codeql-action/autobuild@cdcdbb579706841c47f7063dda365e292e5cad7a # pin v2.13.4 | |
# with: | |
# working-directory: client/android | |
# env: | |
# GRADLE_LIBPARSEC_BUILD_STRATEGY: no_build | |
# - name: Perform CodeQL Analysis | |
# if: steps.should-run-java-analysis.outputs.run == 'true' | |
# uses: github/codeql-action/analyze@cdcdbb579706841c47f7063dda365e292e5cad7a # pin v2.13.4 | |
# with: | |
# category: /language:java | |
javascript-analyze: | |
name: 🌐 Javascript static code Analysis | |
runs-on: ubuntu-20.04 | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # pin v4.1.2 | |
timeout-minutes: 5 | |
- uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # pin v3.0.2 | |
id: changes | |
with: | |
filters: .github/filters/codeql.yml | |
- name: Check modified path that require `javascript-analysis` to run | |
id: should-run-js-analysis | |
if: >- | |
steps.changes.outputs.js-analyze == 'true' | |
|| contains(github.ref, 'gh-readonly-queue') | |
|| github.ref == 'refs/heads/master' | |
run: echo "run=true" >> $GITHUB_OUTPUT | |
shell: bash | |
# Initializes the CodeQL tools for scanning. | |
- name: Initialize CodeQL | |
if: steps.should-run-js-analysis.outputs.run == 'true' | |
uses: github/codeql-action/init@cdcdbb579706841c47f7063dda365e292e5cad7a # pin v2.13.4 | |
with: | |
languages: typescript | |
- name: Install dependencies for ionic project | |
if: steps.should-run-js-analysis.outputs.run == 'true' | |
run: npm clean-install | |
working-directory: client | |
- name: Autobuild for typescript | |
if: steps.should-run-js-analysis.outputs.run == 'true' | |
uses: github/codeql-action/autobuild@cdcdbb579706841c47f7063dda365e292e5cad7a # pin v2.13.4 | |
with: | |
working-directory: client | |
- name: Perform CodeQL Analysis | |
if: steps.should-run-js-analysis.outputs.run == 'true' | |
uses: github/codeql-action/analyze@cdcdbb579706841c47f7063dda365e292e5cad7a # pin v2.13.4 | |
with: | |
category: /language:typescript |