Skip to content

Commit

Permalink
Fix nasa#412, git error in CodeQL Analyze Action
Browse files Browse the repository at this point in the history
- Adds new component-path input parameter
- Use git clone instead of checkout@v2 for the cFS-Bundle
- Use symlink to map calling repo workspace to expected cFS Bundle directory location
- Repurpose tests input to be a boolean tied to "ENABLE_UNIT_TESTS" flag
- Enable "code snippets" option to CodeQL Analyze action
- Archives sarif files from analysis output
- Removes code duplication by using a matrix build for security and coding standard analyses
- Alphabetizes workflow inputs and order based on "required" flag
  • Loading branch information
astrogeco committed Jan 26, 2022
1 parent 031b0ff commit b7b564c
Showing 1 changed file with 76 additions and 78 deletions.
154 changes: 76 additions & 78 deletions .github/workflows/codeql-build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3,28 +3,47 @@ name: "CodeQL Analysis"
on:
workflow_call:
inputs:
setup:
description: 'Build Prep'
# REQUIRED
component-path:
description: 'Path to repo being tested in a cFS bundle setup'
type: string
default: 'cp ./cfe/cmake/Makefile.sample Makefile && cp -r ./cfe/cmake/sample_defs sample_defs'
make-prep:
description: 'Make Prep'
required: true

category:
description: 'Analysis Category'
required: false
type: string
default: ''

make:
description: 'Make Copy'
description: 'Build Command'
default: '' #Typically `make` or `make install`. Default is blank for workflows that don't need to build source
required: false
type: string

prep:
description: 'Make Prep'
default: make prep
required: false
type: string

setup:
description: 'Build Prep Commands'
type: string
default: 'make'
tests:
description: 'Tests'
default: cp ./cfe/cmake/Makefile.sample Makefile && cp -r ./cfe/cmake/sample_defs sample_defs
required: false

test:
description: 'Value for ENABLE_UNIT_TESTS flag'
type: string
default: ''
default: false
required: false

env:
SIMULATION: native
ENABLE_UNIT_TESTS: true
ENABLE_UNIT_TESTS: ${{inputs.tests}}
OMIT_DEPRECATED: true
BUILDTYPE: release
REPO: ${{github.event.repository.name}}

jobs:
#Checks for duplicate actions. Skips push actions if there is a matching or duplicate pull-request action.
Expand All @@ -40,91 +59,70 @@ jobs:
concurrent_skipping: 'same_content'
skip_after_successful_duplicate: 'true'
do_not_skip: '["pull_request", "workflow_dispatch", "schedule"]'
CodeQL-Security-Build:

Analysis:
#Continue if check-for-duplicates found no duplicates. Always runs for pull-requests.
needs: check-for-duplicates
if: ${{ needs.check-for-duplicates.outputs.should_skip != 'true' }}
runs-on: ubuntu-18.04
timeout-minutes: 15

strategy:
fail-fast: false
matrix:
scan-type: [security, coding-standard]

permissions:
security-events: write

steps:
# Checks out a copy of your repository
- name: Checkout code
# Checks out a copy of calling repository
- name: Checkout ${{ github.repository }}
uses: actions/checkout@v2
with:
repository: nasa/cFS
submodules: true

- name: Check versions
- name: Clone cFS bundle
run: |
git log -1 --pretty=oneline
git submodule
cd ..
git clone https://github.com/nasa/cFS.git --recurse-submodules
cd cFS
git log -1 --pretty=oneline
git submodule
rm -r .git
- name: Create symlink to current repo
run: |
cd ../cFS
rm -r ${{ inputs.component-path }}
ln -s ${{github.workspace}} ${{ inputs.component-path }}
# Setup the build system
- name: cFS Build Setup
run: ${{ inputs.setup }}
working-directory: ../cFS

- name: Prep Build
run: ${{ inputs.prep }}
working-directory: ../cFS

- name: Initialize CodeQL
uses: github/codeql-action/init@v1
with:
languages: c
config-file: nasa/cFS/.github/codeql/codeql-security.yml@main

- name: Copy sample_defs
run: ${{ inputs.setup }}
config-file: nasa/cFS/.github/codeql/codeql-${{matrix.scan-type}}.yml@main

- name: Make prep
run: ${{ inputs.make-prep }}

- name: Make Install
- name: Build
run: ${{ inputs.make }}

- name: Run tests
run: ${{ inputs.tests }}
working-directory: ../cFS

- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v1

CodeQL-Coding-Standard-Build:
#Continue if check-for-duplicates found no duplicates. Always runs for pull-requests.
needs: check-for-duplicates
if: ${{ needs.check-for-duplicates.outputs.should_skip != 'true' }}
runs-on: ubuntu-18.04
timeout-minutes: 15

steps:
# Checks out a copy of your repository
- name: Checkout code
uses: actions/checkout@v2
with:
repository: nasa/cFS
submodules: true

- name: Check versions
run: |
git log -1 --pretty=oneline
git submodule
- name: Checkout codeql code
uses: actions/checkout@v2
with:
repository: github/codeql
submodules: true
path: codeql
add-snippets: true
category: ${{matrix.scan-type}}
upload: false

- name: Initialize CodeQL
uses: github/codeql-action/init@v1
- name: Archive Sarif
uses: actions/upload-artifact@v2
with:
languages: c
config-file: nasa/cFS/.github/codeql/codeql-coding-standard.yml@main

- name: Copy sample_defs
run: ${{ inputs.setup }}

- name: Make prep
run: ${{ inputs.make-prep }}

- name: Make Install
run: ${{ inputs.make }}

- name: Run tests
run: ${{ inputs.tests }}

- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v1
name: CodeQL-Sarif-${{ matrix.scan-type }}
path: /home/runner/work/${{env.REPO}}/results/cpp.sarif

0 comments on commit b7b564c

Please sign in to comment.