From 0e7a16ef6e73f0a33b1e65997cc7d0173be0aab7 Mon Sep 17 00:00:00 2001 From: Thibaud Lopez Schneider Date: Fri, 9 Jun 2023 02:18:45 +0200 Subject: [PATCH 01/11] Create codeql.yml setup CodeQL for Swift --- .github/workflows/codeql.yml | 77 ++++++++++++++++++++++++++++++++++++ 1 file changed, 77 insertions(+) create mode 100644 .github/workflows/codeql.yml diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 000000000..937e2b4e0 --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,77 @@ +# For most projects, this workflow file will not need changing; you simply need +# to commit it to your repository. +# +# You may wish to alter this file to override the set of languages analyzed, +# or to provide custom queries or build logic. +# +# ******** NOTE ******** +# We have attempted to detect the languages in your repository. Please check +# the `language` matrix defined below to confirm you have the correct set of +# supported CodeQL languages. +# +name: "CodeQL" + +on: + push: + branches: [ "main" ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ "main" ] + schedule: + - cron: '15 13 * * 4' + +jobs: + analyze: + name: Analyze + runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} + timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }} + permissions: + actions: read + contents: read + security-events: write + + strategy: + fail-fast: false + matrix: + language: [ 'javascript', 'python', 'ruby', 'swift' ] + # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby', 'swift' ] + # Use only 'java' to analyze code written in Java, Kotlin or both + # Use only 'javascript' to analyze code written in JavaScript, TypeScript or both + # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support + + steps: + - name: Checkout repository + uses: actions/checkout@v3 + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@v2 + with: + languages: ${{ matrix.language }} + # If you wish to specify custom queries, you can do so here or in a config file. + # By default, queries listed here will override any specified in a config file. + # Prefix the list here with "+" to use these queries and those in the config file. + + # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs + # queries: security-extended,security-and-quality + + + # Autobuild attempts to build any compiled languages (C/C++, C#, Go, or Java). + # If this step fails, then you should remove it and run the build manually (see below) + - name: Autobuild + uses: github/codeql-action/autobuild@v2 + + # ℹī¸ Command-line programs to run using the OS shell. + # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun + + # If the Autobuild fails above, remove it and uncomment the following three lines. + # modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance. + + # - run: | + # echo "Run, Build Application using script" + # ./location_of_script_within_repo/buildscript.sh + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v2 + with: + category: "/language:${{matrix.language}}" From 859427061b981098519cb06ea97b6b9c39e228a8 Mon Sep 17 00:00:00 2001 From: Jack Alto Date: Fri, 19 Jan 2024 16:34:59 -0500 Subject: [PATCH 02/11] Update run build script to build, configure netrc - Remove unused languages --- .github/workflows/codeql.yml | 29 +++++++++++------------------ 1 file changed, 11 insertions(+), 18 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 937e2b4e0..b16263251 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -33,10 +33,7 @@ jobs: strategy: fail-fast: false matrix: - language: [ 'javascript', 'python', 'ruby', 'swift' ] - # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby', 'swift' ] - # Use only 'java' to analyze code written in Java, Kotlin or both - # Use only 'javascript' to analyze code written in JavaScript, TypeScript or both + language: [ 'swift' ] # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support steps: @@ -55,21 +52,17 @@ jobs: # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs # queries: security-extended,security-and-quality + - run: + name: Prepare .netrc file + command: | + echo "machine api.mapbox.com" >> ~/.netrc + echo "login mapbox" >> ~/.netrc + echo "password $SDK_REGISTRY_TOKEN" >> ~/.netrc + chmod 0600 ~/.netrc - # Autobuild attempts to build any compiled languages (C/C++, C#, Go, or Java). - # If this step fails, then you should remove it and run the build manually (see below) - - name: Autobuild - uses: github/codeql-action/autobuild@v2 - - # ℹī¸ Command-line programs to run using the OS shell. - # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun - - # If the Autobuild fails above, remove it and uncomment the following three lines. - # modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance. - - # - run: | - # echo "Run, Build Application using script" - # ./location_of_script_within_repo/buildscript.sh + - run: | + echo "Run, Build Application using script" + ./scirpts/build_spm_sample.sh - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v2 From 47367d8dc19b2b014bd6f448f0b1e02f7e748bad Mon Sep 17 00:00:00 2001 From: Jack Alto Date: Fri, 19 Jan 2024 17:24:34 -0500 Subject: [PATCH 03/11] Fix typo, update netrc step --- .github/workflows/codeql.yml | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index b16263251..c2e2c1d3f 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -52,17 +52,16 @@ jobs: # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs # queries: security-extended,security-and-quality - - run: - name: Prepare .netrc file - command: | - echo "machine api.mapbox.com" >> ~/.netrc - echo "login mapbox" >> ~/.netrc - echo "password $SDK_REGISTRY_TOKEN" >> ~/.netrc - chmod 0600 ~/.netrc + - name: Prepare .netrc file + run: | + echo "machine api.mapbox.com" >> ~/.netrc + echo "login mapbox" >> ~/.netrc + echo "password $SDK_REGISTRY_TOKEN" >> ~/.netrc + chmod 0600 ~/.netrc - run: | echo "Run, Build Application using script" - ./scirpts/build_spm_sample.sh + ./scripts/build_spm_sample.sh - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v2 From 336ea6abbac389a4a2f3b603ba2563eb61616fdf Mon Sep 17 00:00:00 2001 From: Jack Alto Date: Mon, 22 Jan 2024 14:00:27 -0500 Subject: [PATCH 04/11] Add step to install xcodegen --- .github/workflows/codeql.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index c2e2c1d3f..18d416f50 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -59,6 +59,10 @@ jobs: echo "password $SDK_REGISTRY_TOKEN" >> ~/.netrc chmod 0600 ~/.netrc + - run: | + echo "Set up dependencies" + brew install xcodegen + - run: | echo "Run, Build Application using script" ./scripts/build_spm_sample.sh From 07c05700d9ea4b92f801767be956b0c15d42551f Mon Sep 17 00:00:00 2001 From: Jack Alto Date: Mon, 22 Jan 2024 15:05:27 -0500 Subject: [PATCH 05/11] Add registry token environment variable --- .github/workflows/codeql.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 18d416f50..47e8b1d13 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -36,6 +36,9 @@ jobs: language: [ 'swift' ] # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support + env: + SDK_REGISTRY_TOKEN: ${{ secrets.SDK_REGISTRY_TOKEN }} + steps: - name: Checkout repository uses: actions/checkout@v3 From 7ef549a1d33154a682279443a4d4ca1246436c26 Mon Sep 17 00:00:00 2001 From: Jack Alto Date: Mon, 22 Jan 2024 15:44:50 -0500 Subject: [PATCH 06/11] Try plain build script instead of spm-build, align circleCI on 14.1 --- .circleci/config.yml | 2 +- .github/workflows/codeql.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index 8a0fd61cc..c3a3bd62a 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -235,7 +235,7 @@ jobs: spm-build: macos: - xcode: 14.3.1 + xcode: 14.1 steps: - checkout - setup-authentication diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 47e8b1d13..d018cecf7 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -68,7 +68,7 @@ jobs: - run: | echo "Run, Build Application using script" - ./scripts/build_spm_sample.sh + ./scripts/build.sh - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v2 From 333009c64b4e7e7e58f7dad14888773a40e536aa Mon Sep 17 00:00:00 2001 From: Jack Alto Date: Mon, 22 Jan 2024 15:53:27 -0500 Subject: [PATCH 07/11] Update build command --- .github/workflows/codeql.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index d018cecf7..1d603b97b 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -68,7 +68,7 @@ jobs: - run: | echo "Run, Build Application using script" - ./scripts/build.sh + /usr/bin/xcodebuild -scheme "Demo" -project MapboxSearch.xcodeproj CODE_SIGN_IDENTITY="" CODE_SIGNING_REQUIRED=NO CODE_SIGNING_ALLOWED=NO - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v2 From 964b468a5aaf9f8868a45bd1e5090e25d2a2cb14 Mon Sep 17 00:00:00 2001 From: Jack Alto Date: Tue, 23 Jan 2024 12:00:44 -0500 Subject: [PATCH 08/11] Select Xcode 14.1 in CodeQL jobs - Align spm build script with Xcode 14.1 -> iOS 16.1 on iPhone 14 - Always pick macoslatest because do not build on ubuntu --- .github/workflows/codeql.yml | 7 ++++++- scripts/build_spm_sample.sh | 2 +- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 1d603b97b..ec787a884 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -23,7 +23,7 @@ on: jobs: analyze: name: Analyze - runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} + runs-on: macos-latest timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }} permissions: actions: read @@ -39,6 +39,11 @@ jobs: env: SDK_REGISTRY_TOKEN: ${{ secrets.SDK_REGISTRY_TOKEN }} + steps: + - name: "Set Xcode version" + run: | + sudo xcode-select -s /Applications/Xcode_14.1.app + steps: - name: Checkout repository uses: actions/checkout@v3 diff --git a/scripts/build_spm_sample.sh b/scripts/build_spm_sample.sh index ab675f032..cdcdd268e 100755 --- a/scripts/build_spm_sample.sh +++ b/scripts/build_spm_sample.sh @@ -38,7 +38,7 @@ EOF BASEDIR="${BASEDIR}" xcodegen xcodebuild -resolvePackageDependencies -derivedDataPath derivedData -scheme CircleCIApp -xcodebuild -scheme "CircleCIApp" -destination 'platform=iOS Simulator,name=iPhone 13,OS=15.0' -derivedDataPath derivedData/ -project CircleCIApp.xcodeproj CODE_SIGN_IDENTITY="" CODE_SIGNING_REQUIRED=NO CODE_SIGNING_ALLOWED=NO +xcodebuild -scheme "CircleCIApp" -destination 'platform=iOS Simulator,name=iPhone 14,OS=16.1' -derivedDataPath derivedData/ -project CircleCIApp.xcodeproj CODE_SIGN_IDENTITY="" CODE_SIGNING_REQUIRED=NO CODE_SIGNING_ALLOWED=NO popd From ebf5f6dd803a514db5c3b5b7f688684903237c25 Mon Sep 17 00:00:00 2001 From: Jack Alto Date: Tue, 23 Jan 2024 12:13:25 -0500 Subject: [PATCH 09/11] Fix YAML declaration --- .github/workflows/codeql.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index ec787a884..7f316fe22 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -44,7 +44,6 @@ jobs: run: | sudo xcode-select -s /Applications/Xcode_14.1.app - steps: - name: Checkout repository uses: actions/checkout@v3 From d7a3703eae6d6646d6a6b7760981bf3c375d69cc Mon Sep 17 00:00:00 2001 From: Jack Alto Date: Tue, 23 Jan 2024 12:20:43 -0500 Subject: [PATCH 10/11] Update build and run step to use spm build script --- .github/workflows/codeql.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 7f316fe22..21dd0dba0 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -72,7 +72,7 @@ jobs: - run: | echo "Run, Build Application using script" - /usr/bin/xcodebuild -scheme "Demo" -project MapboxSearch.xcodeproj CODE_SIGN_IDENTITY="" CODE_SIGNING_REQUIRED=NO CODE_SIGNING_ALLOWED=NO + ./scripts/build_spm_sample.sh - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v2 From d01f5f1b06bc5f0bf1f96dab209b2e1ce119a758 Mon Sep 17 00:00:00 2001 From: Jack Alto <384288+aokj4ck@users.noreply.github.com> Date: Tue, 23 Jan 2024 14:10:17 -0500 Subject: [PATCH 11/11] Update codeql.yml for PR feedback --- .github/workflows/codeql.yml | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 21dd0dba0..12737985c 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -36,9 +36,6 @@ jobs: language: [ 'swift' ] # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support - env: - SDK_REGISTRY_TOKEN: ${{ secrets.SDK_REGISTRY_TOKEN }} - steps: - name: "Set Xcode version" run: | @@ -63,7 +60,7 @@ jobs: run: | echo "machine api.mapbox.com" >> ~/.netrc echo "login mapbox" >> ~/.netrc - echo "password $SDK_REGISTRY_TOKEN" >> ~/.netrc + echo "password ${{ secrets.SDK_REGISTRY_TOKEN }}" >> ~/.netrc chmod 0600 ~/.netrc - run: |