Skip to content

chore(renovate): no rebase Maven PRs #41

chore(renovate): no rebase Maven PRs

chore(renovate): no rebase Maven PRs #41

Workflow file for this run

name: CodeQL
# Declare default permissions as read only.
permissions: read-all
on:
pull_request:
branches: [main]
push:
branches:
- main
jobs:
analyze:
name: Analyze
runs-on: ubuntu-latest
permissions:
security-events: write
strategy:
matrix:
language: ["java-kotlin"]
steps:
- uses: bazel-contrib/setup-bazel@f3f50ea6791b9b0f4c4eeabba4507422426462f5 # 0.9.1
with:
# Avoid downloading Bazel every time.
bazelisk-cache: true
- name: Checkout repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
- name: Initialize CodeQL
uses: github/codeql-action/init@ea9e4e37992a54ee68a9622e985e60c8e8f12d9f # v3
with:
languages: ${{ matrix.language }}
build-mode: manual
- name: Remove file to work around bazel version not working under CodeQL
run: |
zip -d "$CODEQL_EXTRACTOR_JAVA_ROOT/tools/codeql-java-agent.jar" build-data.properties || echo "CodeQL build-data.properties Hack Not Necessary!!!"
- name: Build java
# Note: Bazel requires specific args to do the build with a little caching as possible. Kind of the antithesis of Bazel's philosophy,
# But codeql wants to observe all the compilation.
# See also: https://docs.github.com/en/enterprise-cloud@latest/code-security/codeql-cli/getting-started-with-the-codeql-cli/preparing-your-code-for-codeql-analysis#specifying-build-commands
run: |
bazel version
bazel build \
--spawn_strategy=local --nouse_action_cache \
//src/main/java/build/buildfarm:buildfarm-server \
//src/main/java/build/buildfarm:buildfarm-shard-worker
bazel shutdown
- uses: github/codeql-action/analyze@ea9e4e37992a54ee68a9622e985e60c8e8f12d9f # v3
with:
category: "/language:${{ matrix.language }}"