CodeQL #23
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: "CodeQL" | |
on: | |
push: | |
branches: | |
- main | |
- release-**.0 | |
schedule: | |
- cron: '0 0 * * 1' | |
workflow_dispatch: | |
permissions: read-all | |
jobs: | |
analyze: | |
name: Analyze | |
runs-on: ubuntu-24.04 | |
permissions: | |
actions: read | |
contents: read | |
security-events: write | |
strategy: | |
fail-fast: false | |
matrix: | |
language: [ 'go', 'javascript', 'python' ] | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
- name: Set up Go | |
uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 | |
with: | |
go-version-file: go.mod | |
# Initializes the CodeQL tools for scanning. | |
- name: Initialize CodeQL | |
uses: github/codeql-action/init@v3 | |
with: | |
languages: ${{ matrix.language }} | |
# If you wish to specify cu stom queries, you can do so here or in a config file. | |
# By default, queries listed here will override any specified in a config file. | |
# Prefix the list here with "+" to use these queries and those in the config file. | |
# Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs | |
# queries: security-extended,security-and-quality | |
- name: Get base dependencies | |
run: | | |
sudo DEBIAN_FRONTEND="noninteractive" apt-get update | |
# Uninstall any previously installed MySQL first | |
sudo systemctl stop apparmor | |
sudo DEBIAN_FRONTEND="noninteractive" apt-get remove -y --purge mysql-server mysql-client mysql-common | |
sudo apt-get -y autoremove | |
sudo apt-get -y autoclean | |
sudo deluser mysql | |
sudo rm -rf /var/lib/mysql | |
sudo rm -rf /etc/mysql | |
# Install mysql80 | |
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys A8D3785C | |
wget -c https://dev.mysql.com/get/mysql-apt-config_0.8.33-1_all.deb | |
echo mysql-apt-config mysql-apt-config/select-server select mysql-8.0 | sudo debconf-set-selections | |
sudo DEBIAN_FRONTEND="noninteractive" dpkg -i mysql-apt-config* | |
sudo apt-get update | |
sudo DEBIAN_FRONTEND="noninteractive" apt-get install -y mysql-server mysql-client | |
# Install everything else we need, and configure | |
sudo apt-get install -y make unzip g++ etcd-client etcd-server curl git wget eatmydata | |
sudo service mysql stop | |
sudo service etcd stop | |
sudo bash -c "echo '/usr/sbin/mysqld { }' > /etc/apparmor.d/usr.sbin.mysqld" # https://bugs.launchpad.net/ubuntu/+source/mariadb-10.1/+bug/1806263 | |
sudo ln -s /etc/apparmor.d/usr.sbin.mysqld /etc/apparmor.d/disable/ | |
sudo apparmor_parser -R /etc/apparmor.d/usr.sbin.mysqld || echo "could not remove mysqld profile" | |
# install JUnit report formatter | |
go install github.com/vitessio/go-junit-report@HEAD | |
- name: Building binaries | |
timeout-minutes: 30 | |
run: | | |
source build.env | |
make build | |
- name: Perform CodeQL Analysis | |
uses: github/codeql-action/analyze@v3 | |
- name: Slack Workflow Notification | |
if: ${{ failure() }} | |
uses: Gamesight/slack-workflow-status@master | |
with: | |
repo_token: ${{secrets.GITHUB_TOKEN}} | |
slack_webhook_url: ${{secrets.SLACK_WEBHOOK_URL}} | |
channel: '#codeql' | |
name: 'CodeQL Workflows' | |
- name: Fail if needed | |
if: ${{ failure() }} | |
run: | | |
exit 1 |