Semantic Analysis #210
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Semantic Analysis | |
| on: | |
| push: | |
| branches: | |
| - main | |
| tags: | |
| - '*' | |
| paths-ignore: | |
| - '**.md' | |
| pull_request: | |
| types: [opened, synchronize, reopened, ready_for_review] | |
| branches: | |
| - main | |
| paths-ignore: | |
| - '**.md' | |
| - 'changelog.lua' | |
| - '.gitignore' | |
| schedule: | |
| - cron: '00 00 * * 6' | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} | |
| cancel-in-progress: true | |
| jobs: | |
| analyze: | |
| name: Scan with CodeQL | |
| runs-on: 'ubuntu-latest' | |
| permissions: | |
| actions: read | |
| contents: read | |
| security-events: write | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| language: ['cpp'] | |
| steps: | |
| - name: Checkout Git repository | |
| uses: actions/checkout@v4 | |
| with: | |
| submodules: recursive | |
| # Required so that git describe actually works (and we can discover version tags) | |
| fetch-depth: "0" | |
| # Initializes the CodeQL tools for scanning. | |
| - name: Initialize CodeQL scan | |
| uses: github/codeql-action/init@v3 | |
| with: | |
| languages: ${{ matrix.language }} | |
| - name: Set up ccache | |
| uses: hendrikmuhs/ccache-action@v1.2 | |
| - name: Update apt cache | |
| run: sudo apt-get update | |
| - name: Install Ninja | |
| run: sudo apt-get install ninja-build | |
| # Can't actually be used on CI runners, but we need the headers for embedding webview | |
| - name: Install WebKitGTK | |
| run: sudo apt-get install gtk+-3.0-dev webkit2gtk-4.0-dev --yes | |
| - name: Install PulseAudio | |
| run: sudo apt-get install pulseaudio libpulse-dev --yes | |
| - name: Configure environment | |
| run: | | |
| export PATH="/usr/lib/ccache:$PATH" | |
| echo "CC=/usr/lib/ccache/gcc" >> $GITHUB_ENV | |
| echo "CXX=/usr/lib/ccache/g++" >> $GITHUB_ENV | |
| - name: Build dependencies | |
| run: bash deps/unixbuild-all.sh | |
| - name: Build the runtime | |
| run: bash ./unixbuild.sh | |
| - name: Perform CodeQL analysis | |
| uses: github/codeql-action/analyze@v3 | |
| with: | |
| category: "/language:${{matrix.language}}" | |
| upload: false # Upload separately so it can be filtered | |
| output: sarif-results | |
| - name: Basic sanity check | |
| run: ls -l && ls -l sarif-results && file sarif-results/cpp.sarif | |
| - name: Filter SARIF | |
| uses: advanced-security/filter-sarif@v1 | |
| with: | |
| # Getting spammed with library alerts is useless; no one will ever fix them all | |
| patterns: | | |
| +**/*.c | |
| +**/*.cpp | |
| -**/*deps/** | |
| input: sarif-results/${{ matrix.language }}.sarif | |
| output: sarif-results/${{ matrix.language }}.sarif | |
| - name: Upload SARIF | |
| uses: github/codeql-action/upload-sarif@v2 | |
| with: | |
| sarif_file: sarif-results/${{ matrix.language }}.sarif | |
| category: "/language:${{matrix.language}}" | |
| - name: Upload analysis results | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: sarif-results | |
| path: sarif-results | |
| retention-days: 1 |