diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 00000000..1d7f9783 --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,108 @@ +# Copyright (C) 2025 Roberto Rossini +# SPDX-License-Identifier: MIT + +name: Run CodeQL analysis + +on: + push: + branches: [main] + paths: + - ".github/workflows/codeql.yml" + - "cmake/**" + - "examples/**" + - "src/**" + - "test/integration/**" + - "test/units/**" + - "CMakeLists.txt" + - "conanfile.py" + schedule: + - cron: "0 5 1 * *" # run monthly at 05:00 + +# https://stackoverflow.com/a/72408109 +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true + +permissions: + contents: read + +jobs: + build-conan-deps: + name: Build Conan deps + uses: paulsengroup/hictk/.github/workflows/build-conan-deps.yml@main + with: + os: ubuntu-20.04 + + analyze: + name: Analyze (${{ matrix.language }}) + runs-on: ubuntu-24.04 + needs: [build-conan-deps] + strategy: + fail-fast: false + matrix: + include: + - { language: actions, build-mode: none } + - { language: c-cpp, build-mode: manual } + - { language: python, build-mode: none } + permissions: + contents: read + security-events: write + + env: + CCACHE_DISABLE: "1" + CONAN_HOME: "/opt/conan/" + + steps: + - name: Checkout repo + uses: actions/checkout@v4 + + - name: Restore Conan cache + if: matrix.language == 'c-cpp' + uses: actions/cache/restore@v4 + with: + key: ${{ needs.build-conan-deps.outputs.conan-key }} + path: ${{ env.CONAN_HOME }}/p + fail-on-cache-miss: true + + - name: Restore CMake configs + if: matrix.language == 'c-cpp' + uses: actions/cache/restore@v4 + with: + key: ${{ needs.build-conan-deps.outputs.cmake-prefix-debug-key }} + path: /tmp/cmake-prefix-dbg.tar + fail-on-cache-miss: true + + - name: Extract CMake configs + if: matrix.language == 'c-cpp' + run: | + mkdir conan-env + sudo chown "$USER" /tmp/cmake-prefix-dbg.tar + tar -xf /tmp/cmake-prefix-dbg.tar -C conan-env/ --strip-components=1 + + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: ${{ matrix.language }} + build-mode: ${{ matrix.build-mode }} + + - name: Configure project + if: matrix.language == 'c-cpp' + run: | + cmake -DCMAKE_BUILD_TYPE=Debug \ + -DCMAKE_PREFIX_PATH="$PWD/conan-env" \ + -DENABLE_DEVELOPER_MODE=OFF \ + -DHICTK_ENABLE_TESTING=ON \ + -DHICTK_BUILD_EXAMPLES=ON \ + -DHICTK_DOWNLOAD_TEST_DATASET=OFF \ + -DHICTK_ENABLE_GIT_VERSION_TRACKING=OFF \ + -DCMAKE_INSTALL_PREFIX=dest \ + -S . \ + -B build + + - name: Build project + if: matrix.language == 'c-cpp' + run: cmake --build build -j $(nproc) + + - uses: github/codeql-action/analyze@v3 + with: + category: "/language:${{ matrix.language }}"