Declare permissions #6173
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: "Ruby: Build" | |
on: | |
push: | |
paths: | |
- "ruby/**" | |
- .github/workflows/ruby-build.yml | |
- .github/actions/fetch-codeql/action.yml | |
- codeql-workspace.yml | |
branches: | |
- main | |
- "rc/*" | |
pull_request: | |
paths: | |
- "ruby/**" | |
- .github/workflows/ruby-build.yml | |
- .github/actions/fetch-codeql/action.yml | |
- codeql-workspace.yml | |
branches: | |
- main | |
- "rc/*" | |
workflow_dispatch: | |
inputs: | |
tag: | |
description: "Version tag to create" | |
required: false | |
env: | |
CARGO_TERM_COLOR: always | |
defaults: | |
run: | |
working-directory: ruby | |
permissions: | |
contents: read | |
jobs: | |
build: | |
strategy: | |
fail-fast: false | |
matrix: | |
os: [ubuntu-latest, macos-latest, windows-latest] | |
runs-on: ${{ matrix.os }} | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Install GNU tar | |
if: runner.os == 'macOS' | |
run: | | |
brew install gnu-tar | |
echo "/usr/local/opt/gnu-tar/libexec/gnubin" >> $GITHUB_PATH | |
- name: Install cargo-cross | |
if: runner.os == 'Linux' | |
run: cargo install cross --version 0.2.5 | |
- uses: ./.github/actions/os-version | |
id: os_version | |
- name: Cache entire extractor | |
uses: actions/cache@v3 | |
id: cache-extractor | |
with: | |
path: | | |
ruby/extractor/target/release/codeql-extractor-ruby | |
ruby/extractor/target/release/codeql-extractor-ruby.exe | |
ruby/extractor/ql/lib/codeql/ruby/ast/internal/TreeSitter.qll | |
key: ${{ runner.os }}-${{ steps.os_version.outputs.version }}-ruby-extractor-${{ hashFiles('ruby/extractor/rust-toolchain.toml', 'ruby/extractor/Cargo.lock') }}-${{ hashFiles('shared/tree-sitter-extractor') }}-${{ hashFiles('ruby/extractor/**/*.rs') }} | |
- uses: actions/cache@v3 | |
if: steps.cache-extractor.outputs.cache-hit != 'true' | |
with: | |
path: | | |
~/.cargo/registry | |
~/.cargo/git | |
ruby/target | |
key: ${{ runner.os }}-${{ steps.os_version.outputs.version }}-ruby-rust-cargo-${{ hashFiles('ruby/extractor/rust-toolchain.toml', 'ruby/extractor/**/Cargo.lock') }} | |
- name: Check formatting | |
if: steps.cache-extractor.outputs.cache-hit != 'true' | |
run: cd extractor && cargo fmt --all -- --check | |
- name: Build | |
if: steps.cache-extractor.outputs.cache-hit != 'true' | |
run: cd extractor && cargo build --verbose | |
- name: Run tests | |
if: steps.cache-extractor.outputs.cache-hit != 'true' | |
run: cd extractor && cargo test --verbose | |
# On linux, build the extractor via cross in a centos7 container. | |
# This ensures we don't depend on glibc > 2.17. | |
- name: Release build (linux) | |
if: steps.cache-extractor.outputs.cache-hit != 'true' && runner.os == 'Linux' | |
run: | | |
cd extractor | |
cross build --release | |
mv target/x86_64-unknown-linux-gnu/release/codeql-extractor-ruby target/release/ | |
- name: Release build (windows and macos) | |
if: steps.cache-extractor.outputs.cache-hit != 'true' && runner.os != 'Linux' | |
run: cd extractor && cargo build --release | |
- name: Generate dbscheme | |
if: ${{ matrix.os == 'ubuntu-latest' && steps.cache-extractor.outputs.cache-hit != 'true'}} | |
run: extractor/target/release/codeql-extractor-ruby generate --dbscheme ql/lib/ruby.dbscheme --library ql/lib/codeql/ruby/ast/internal/TreeSitter.qll | |
- uses: actions/upload-artifact@v3 | |
if: ${{ matrix.os == 'ubuntu-latest' }} | |
with: | |
name: ruby.dbscheme | |
path: ruby/ql/lib/ruby.dbscheme | |
- uses: actions/upload-artifact@v3 | |
if: ${{ matrix.os == 'ubuntu-latest' }} | |
with: | |
name: TreeSitter.qll | |
path: ruby/ql/lib/codeql/ruby/ast/internal/TreeSitter.qll | |
- uses: actions/upload-artifact@v3 | |
with: | |
name: extractor-${{ matrix.os }} | |
path: | | |
ruby/extractor/target/release/codeql-extractor-ruby | |
ruby/extractor/target/release/codeql-extractor-ruby.exe | |
retention-days: 1 | |
compile-queries: | |
if: github.repository_owner == 'github' | |
runs-on: ubuntu-latest-xl | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Fetch CodeQL | |
uses: ./.github/actions/fetch-codeql | |
- name: Cache compilation cache | |
id: query-cache | |
uses: ./.github/actions/cache-query-compilation | |
with: | |
key: ruby-build | |
- name: Build Query Pack | |
run: | | |
PACKS=${{ runner.temp }}/query-packs | |
rm -rf $PACKS | |
codeql pack create ../misc/suite-helpers --output "$PACKS" | |
codeql pack create ../shared/regex --output "$PACKS" | |
codeql pack create ../shared/ssa --output "$PACKS" | |
codeql pack create ../shared/tutorial --output "$PACKS" | |
codeql pack create ql/lib --output "$PACKS" | |
codeql pack create -j0 ql/src --output "$PACKS" --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}" | |
PACK_FOLDER=$(readlink -f "$PACKS"/codeql/ruby-queries/*) | |
codeql generate query-help --format=sarifv2.1.0 --output="${PACK_FOLDER}/rules.sarif" ql/src | |
(cd ql/src; find queries \( -name '*.qhelp' -o -name '*.rb' -o -name '*.erb' \) -exec bash -c 'mkdir -p "'"${PACK_FOLDER}"'/$(dirname "{}")"' \; -exec cp "{}" "${PACK_FOLDER}/{}" \;) | |
- uses: actions/upload-artifact@v3 | |
with: | |
name: codeql-ruby-queries | |
path: | | |
${{ runner.temp }}/query-packs/* | |
retention-days: 1 | |
package: | |
runs-on: ubuntu-latest | |
needs: [build, compile-queries] | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: actions/download-artifact@v3 | |
with: | |
name: ruby.dbscheme | |
path: ruby/ruby | |
- uses: actions/download-artifact@v3 | |
with: | |
name: extractor-ubuntu-latest | |
path: ruby/linux64 | |
- uses: actions/download-artifact@v3 | |
with: | |
name: extractor-windows-latest | |
path: ruby/win64 | |
- uses: actions/download-artifact@v3 | |
with: | |
name: extractor-macos-latest | |
path: ruby/osx64 | |
- run: | | |
mkdir -p ruby | |
cp -r codeql-extractor.yml tools ql/lib/ruby.dbscheme.stats ruby/ | |
mkdir -p ruby/tools/{linux64,osx64,win64} | |
cp linux64/codeql-extractor-ruby ruby/tools/linux64/extractor | |
cp osx64/codeql-extractor-ruby ruby/tools/osx64/extractor | |
cp win64/codeql-extractor-ruby.exe ruby/tools/win64/extractor.exe | |
chmod +x ruby/tools/{linux64,osx64}/extractor | |
zip -rq codeql-ruby.zip ruby | |
- uses: actions/upload-artifact@v3 | |
with: | |
name: codeql-ruby-pack | |
path: ruby/codeql-ruby.zip | |
retention-days: 1 | |
- uses: actions/download-artifact@v3 | |
with: | |
name: codeql-ruby-queries | |
path: ruby/qlpacks | |
- run: | | |
echo '{ | |
"provide": [ | |
"ruby/codeql-extractor.yml", | |
"qlpacks/*/*/*/qlpack.yml" | |
] | |
}' > .codeqlmanifest.json | |
zip -rq codeql-ruby-bundle.zip .codeqlmanifest.json ruby qlpacks | |
- uses: actions/upload-artifact@v3 | |
with: | |
name: codeql-ruby-bundle | |
path: ruby/codeql-ruby-bundle.zip | |
retention-days: 1 | |
test: | |
defaults: | |
run: | |
working-directory: ${{ github.workspace }} | |
strategy: | |
fail-fast: false | |
matrix: | |
os: [ubuntu-latest, macos-latest, windows-latest] | |
runs-on: ${{ matrix.os }} | |
needs: [package] | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Fetch CodeQL | |
uses: ./.github/actions/fetch-codeql | |
- name: Download Ruby bundle | |
uses: actions/download-artifact@v3 | |
with: | |
name: codeql-ruby-bundle | |
path: ${{ runner.temp }} | |
- name: Unzip Ruby bundle | |
shell: bash | |
run: unzip -q -d "${{ runner.temp }}/ruby-bundle" "${{ runner.temp }}/codeql-ruby-bundle.zip" | |
- name: Run QL test | |
shell: bash | |
run: | | |
codeql test run --search-path "${{ runner.temp }}/ruby-bundle" --additional-packs "${{ runner.temp }}/ruby-bundle" ruby/ql/test/library-tests/ast/constants/ | |
- name: Create database | |
shell: bash | |
run: | | |
codeql database create --search-path "${{ runner.temp }}/ruby-bundle" --language ruby --source-root ruby/ql/test/library-tests/ast/constants/ ../database | |
- name: Analyze database | |
shell: bash | |
run: | | |
codeql database analyze --search-path "${{ runner.temp }}/ruby-bundle" --format=sarifv2.1.0 --output=out.sarif ../database ruby-code-scanning.qls | |
# This is a copy of the 'test' job that runs in a centos7 container. | |
# This tests that the extractor works correctly on systems with an old glibc. | |
test-centos7: | |
defaults: | |
run: | |
working-directory: ${{ github.workspace }} | |
strategy: | |
fail-fast: false | |
runs-on: ubuntu-latest | |
container: | |
image: centos:centos7 | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
needs: [package] | |
steps: | |
- name: Install gh cli | |
run: | | |
yum-config-manager --add-repo https://cli.github.com/packages/rpm/gh-cli.repo | |
# fetch-codeql requires unzip and jq | |
# jq is available in epel-release (https://docs.fedoraproject.org/en-US/epel/) | |
yum install -y gh unzip epel-release | |
yum install -y jq | |
- uses: actions/checkout@v3 | |
- name: Fetch CodeQL | |
uses: ./.github/actions/fetch-codeql | |
# Due to a bug in Actions, we can't use runner.temp in the run blocks here. | |
# https://github.com/actions/runner/issues/2185 | |
- name: Download Ruby bundle | |
uses: actions/download-artifact@v3 | |
with: | |
name: codeql-ruby-bundle | |
path: ${{ runner.temp }} | |
- name: Unzip Ruby bundle | |
shell: bash | |
run: unzip -q -d "$RUNNER_TEMP"/ruby-bundle "$RUNNER_TEMP"/codeql-ruby-bundle.zip | |
- name: Run QL test | |
shell: bash | |
run: | | |
codeql test run --search-path "$RUNNER_TEMP"/ruby-bundle --additional-packs "$RUNNER_TEMP"/ruby-bundle ruby/ql/test/library-tests/ast/constants/ | |
- name: Create database | |
shell: bash | |
run: | | |
codeql database create --search-path "$RUNNER_TEMP"/ruby-bundle --language ruby --source-root ruby/ql/test/library-tests/ast/constants/ ../database | |
- name: Analyze database | |
shell: bash | |
run: | | |
codeql database analyze --search-path "$RUNNER_TEMP"/ruby-bundle --format=sarifv2.1.0 --output=out.sarif ../database ruby-code-scanning.qls |