Mercurial > p > roundup > code
annotate .github/workflows/codeql-analysis.yml @ 7178:db06d4aeb978
unshadow stdlib token from roundup's token.
This bites me every now and again when running pytest and pdb. Some
submodules want to load the stdlib python and end up getting roundup's
python and thing break with N_TOKENS not defined etc.
So rename token.py to token_r.py (token_r(oundup)... hey naming things
is hard) an change code as needed.
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Sun, 26 Feb 2023 12:00:35 -0500 |
| parents | cc49ac11850f |
| children | fcf7e210a0f9 |
| rev | line source |
|---|---|
|
6286
9972e26ab140
add security analysis workflow
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
1 # For most projects, this workflow file will not need changing; you simply need |
|
9972e26ab140
add security analysis workflow
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
2 # to commit it to your repository. |
|
9972e26ab140
add security analysis workflow
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
3 # |
|
9972e26ab140
add security analysis workflow
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
4 # You may wish to alter this file to override the set of languages analyzed, |
|
9972e26ab140
add security analysis workflow
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
5 # or to provide custom queries or build logic. |
|
9972e26ab140
add security analysis workflow
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
6 # |
|
9972e26ab140
add security analysis workflow
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
7 # ******** NOTE ******** |
|
9972e26ab140
add security analysis workflow
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
8 # We have attempted to detect the languages in your repository. Please check |
|
9972e26ab140
add security analysis workflow
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
9 # the `language` matrix defined below to confirm you have the correct set of |
|
9972e26ab140
add security analysis workflow
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
10 # supported CodeQL languages. |
|
9972e26ab140
add security analysis workflow
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
11 # ******** NOTE ******** |
|
9972e26ab140
add security analysis workflow
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
12 |
|
9972e26ab140
add security analysis workflow
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
13 name: "CodeQL" |
|
9972e26ab140
add security analysis workflow
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
14 |
|
9972e26ab140
add security analysis workflow
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
15 on: |
|
9972e26ab140
add security analysis workflow
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
16 push: |
|
9972e26ab140
add security analysis workflow
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
17 branches: [ master ] |
|
9972e26ab140
add security analysis workflow
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
18 pull_request: |
|
9972e26ab140
add security analysis workflow
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
19 # The branches below must be a subset of the branches above |
|
9972e26ab140
add security analysis workflow
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
20 branches: [ master ] |
|
9972e26ab140
add security analysis workflow
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
21 schedule: |
|
9972e26ab140
add security analysis workflow
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
22 - cron: '28 17 * * 1' |
|
9972e26ab140
add security analysis workflow
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
23 |
|
7129
c7e35b96907d
Try another permission setup.
John Rouillard <rouilj@ieee.org>
parents:
7128
diff
changeset
|
24 permissions: |
|
c7e35b96907d
Try another permission setup.
John Rouillard <rouilj@ieee.org>
parents:
7128
diff
changeset
|
25 contents: read |
|
c7e35b96907d
Try another permission setup.
John Rouillard <rouilj@ieee.org>
parents:
7128
diff
changeset
|
26 |
|
6956
ca6b056b79a4
only run on most current push.
John Rouillard <rouilj@ieee.org>
parents:
6837
diff
changeset
|
27 concurrency: |
|
ca6b056b79a4
only run on most current push.
John Rouillard <rouilj@ieee.org>
parents:
6837
diff
changeset
|
28 group: ${{ github.workflow }}-${{ github.ref }} |
|
ca6b056b79a4
only run on most current push.
John Rouillard <rouilj@ieee.org>
parents:
6837
diff
changeset
|
29 cancel-in-progress: true |
|
ca6b056b79a4
only run on most current push.
John Rouillard <rouilj@ieee.org>
parents:
6837
diff
changeset
|
30 |
|
6286
9972e26ab140
add security analysis workflow
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
31 jobs: |
|
9972e26ab140
add security analysis workflow
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
32 analyze: |
|
9972e26ab140
add security analysis workflow
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
33 name: Analyze |
|
9972e26ab140
add security analysis workflow
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
34 runs-on: ubuntu-latest |
|
9972e26ab140
add security analysis workflow
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
35 |
|
7129
c7e35b96907d
Try another permission setup.
John Rouillard <rouilj@ieee.org>
parents:
7128
diff
changeset
|
36 permissions: |
|
c7e35b96907d
Try another permission setup.
John Rouillard <rouilj@ieee.org>
parents:
7128
diff
changeset
|
37 contents: read |
|
c7e35b96907d
Try another permission setup.
John Rouillard <rouilj@ieee.org>
parents:
7128
diff
changeset
|
38 security-events: write |
|
c7e35b96907d
Try another permission setup.
John Rouillard <rouilj@ieee.org>
parents:
7128
diff
changeset
|
39 |
|
6286
9972e26ab140
add security analysis workflow
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
40 strategy: |
|
9972e26ab140
add security analysis workflow
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
41 fail-fast: false |
|
9972e26ab140
add security analysis workflow
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
42 matrix: |
|
9972e26ab140
add security analysis workflow
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
43 language: [ 'javascript', 'python' ] |
|
9972e26ab140
add security analysis workflow
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
44 # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python' ] |
|
9972e26ab140
add security analysis workflow
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
45 # Learn more... |
|
9972e26ab140
add security analysis workflow
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
46 # https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#overriding-automatic-language-detection |
|
9972e26ab140
add security analysis workflow
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
47 |
|
9972e26ab140
add security analysis workflow
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
48 steps: |
|
9972e26ab140
add security analysis workflow
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
49 - name: Checkout repository |
|
7148
cc49ac11850f
Pin actions by using hashes removing tags like @v2. or @master
John Rouillard <rouilj@ieee.org>
parents:
7129
diff
changeset
|
50 uses: actions/checkout@dc323e67f16fb5f7663d20ff7941f27f5809e9b6 # v2.6.0 |
|
6286
9972e26ab140
add security analysis workflow
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
51 |
|
9972e26ab140
add security analysis workflow
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
52 # Initializes the CodeQL tools for scanning. |
|
9972e26ab140
add security analysis workflow
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
53 - name: Initialize CodeQL |
|
7148
cc49ac11850f
Pin actions by using hashes removing tags like @v2. or @master
John Rouillard <rouilj@ieee.org>
parents:
7129
diff
changeset
|
54 uses: github/codeql-action/init@17573ee1cc1b9d061760f3a006fc4aac4f944fd5 # v2.2.4 |
|
6286
9972e26ab140
add security analysis workflow
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
55 with: |
|
9972e26ab140
add security analysis workflow
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
56 languages: ${{ matrix.language }} |
|
9972e26ab140
add security analysis workflow
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
57 # If you wish to specify custom queries, you can do so here or in a config file. |
|
9972e26ab140
add security analysis workflow
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
58 # By default, queries listed here will override any specified in a config file. |
|
9972e26ab140
add security analysis workflow
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
59 # Prefix the list here with "+" to use these queries and those in the config file. |
|
9972e26ab140
add security analysis workflow
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
60 # queries: ./path/to/local/query, your-org/your-repo/queries@main |
|
9972e26ab140
add security analysis workflow
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
61 |
|
9972e26ab140
add security analysis workflow
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
62 # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). |
|
9972e26ab140
add security analysis workflow
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
63 # If this step fails, then you should remove it and run the build manually (see below) |
|
9972e26ab140
add security analysis workflow
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
64 - name: Autobuild |
|
7148
cc49ac11850f
Pin actions by using hashes removing tags like @v2. or @master
John Rouillard <rouilj@ieee.org>
parents:
7129
diff
changeset
|
65 uses: github/codeql-action/autobuild@17573ee1cc1b9d061760f3a006fc4aac4f944fd5 # v2.2.4 |
|
6286
9972e26ab140
add security analysis workflow
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
66 |
|
9972e26ab140
add security analysis workflow
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
67 # âšī¸ Command-line programs to run using the OS shell. |
|
9972e26ab140
add security analysis workflow
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
68 # đ https://git.io/JvXDl |
|
9972e26ab140
add security analysis workflow
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
69 |
|
9972e26ab140
add security analysis workflow
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
70 # âī¸ If the Autobuild fails above, remove it and uncomment the following three lines |
|
9972e26ab140
add security analysis workflow
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
71 # and modify them (or add more) to build your code if your project |
|
9972e26ab140
add security analysis workflow
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
72 # uses a compiled language |
|
9972e26ab140
add security analysis workflow
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
73 |
|
9972e26ab140
add security analysis workflow
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
74 #- run: | |
|
9972e26ab140
add security analysis workflow
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
75 # make bootstrap |
|
9972e26ab140
add security analysis workflow
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
76 # make release |
|
9972e26ab140
add security analysis workflow
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
77 |
|
9972e26ab140
add security analysis workflow
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
78 - name: Perform CodeQL Analysis |
|
7148
cc49ac11850f
Pin actions by using hashes removing tags like @v2. or @master
John Rouillard <rouilj@ieee.org>
parents:
7129
diff
changeset
|
79 uses: github/codeql-action/analyze@17573ee1cc1b9d061760f3a006fc4aac4f944fd5 # v2.2.4 |