Run codeql anaysis on all platforms

UncleGrumpy · UncleGrumpy · commit dd0aff243172 · 2025-02-10T02:36:11.000Z
Add codeql to esp32-build.yaml workflow
Add codeql to pico-build.yaml workflow
Add codeql to stm32-build.yaml workflow
Add codeql to wasm-build.yaml workflow

Signed-off-by: Winford &lt;winford@object.stream&gt;
diff --git a/.github/workflows/esp32-build.yaml b/.github/workflows/esp32-build.yaml
@@ -37,6 +37,7 @@ jobs:
 
       matrix:
         esp-idf-target: ["esp32", "esp32c3"]
+        language: ['cpp']
         idf-version:
          - 'v5.0.7'
          - 'v5.1.5'
@@ -53,6 +54,13 @@ jobs:
     - name: Checkout repo
       uses: actions/checkout@v4
 
+    - name: "Initialize CodeQL"
+      uses: github/codeql-action/init@v3
+      with:
+        languages: ${{matrix.language}}
+        mode: manual
+        queries: +./code-queries/term-to-non-term-func.ql,./code-queries/non-term-to-term-func.ql
+
     - name: Build with idf.py
       shell: bash
       working-directory: ./src/platforms/esp32/
@@ -69,6 +77,9 @@ jobs:
         . $IDF_PATH/export.sh
         idf.py size-components
 
+    - name: "Perform CodeQL Analysis"
+      uses: github/codeql-action/analyze@v3
+
     - name: Install dependencies to build host AtomVM and run qemu
       run: |
         set -eu
diff --git a/.github/workflows/pico-build.yaml b/.github/workflows/pico-build.yaml
@@ -37,6 +37,7 @@ jobs:
     strategy:
       matrix:
         board: ["pico", "pico_w"]
+        language: ["cpp"]
 
     steps:
     - name: Checkout repo
@@ -48,6 +49,13 @@ jobs:
     - name: "Install deps"
       run: sudo apt install -y cmake gperf ninja-build gcc-arm-none-eabi libnewlib-arm-none-eabi libstdc++-arm-none-eabi-newlib erlang-base erlang-dialyzer
 
+    - name: "Initialize CodeQL"
+      uses: github/codeql-action/init@v3
+      with:
+        languages: ${{matrix.language}}
+        mode: manual
+        queries: +./code-queries/term-to-non-term-func.ql,./code-queries/non-term-to-term-func.ql
+
     - name: Build
       shell: bash
       working-directory: ./src/platforms/rp2040/
@@ -58,6 +66,9 @@ jobs:
         cmake .. -G Ninja -DPICO_BOARD=${{ matrix.board }}
         ninja
 
+    - name: "Perform CodeQL Analysis"
+      uses: github/codeql-action/analyze@v3
+
     - name: Install nvm and nodejs 20
       run: |
         set -euo pipefail
diff --git a/.github/workflows/stm32-build.yaml b/.github/workflows/stm32-build.yaml
@@ -63,6 +63,13 @@ jobs:
     - name: Checkout repo
       uses: actions/checkout@v4
 
+    - name: "Initialize CodeQL"
+      uses: github/codeql-action/init@v3
+      with:
+        languages: 'cpp'
+        mode: manual
+        queries: +./code-queries/term-to-non-term-func.ql,./code-queries/non-term-to-term-func.ql
+
     - name: Build
       shell: bash
       working-directory: ./src/platforms/stm32/
@@ -73,3 +80,6 @@ jobs:
         # -DAVM_WARNINGS_ARE_ERRORS=ON
         cmake .. -DCMAKE_TOOLCHAIN_FILE=cmake/arm-toolchain.cmake -DLIBOPENCM3_DIR=/home/runner/libopencm3
         make -j
+
+    - name: "Perform CodeQL Analysis"
+      uses: github/codeql-action/analyze@v3
diff --git a/.github/workflows/wasm-build.yaml b/.github/workflows/wasm-build.yaml
@@ -30,16 +30,38 @@ concurrency:
   cancel-in-progress: true
 
 jobs:
-  compile_tests:
+  compile_and_test:
+    - name: "Compile, analyze, and test"
     runs-on: ubuntu-24.04
     container: erlang:27
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: ["cpp", "javascript"]
+        include:
+        - language: "cpp"
+          query: "+./code-queries/term-to-non-term-func.ql,./code-queries/non-term-to-term-func.ql"
+        - language: "javascript"
+          query: ""
+
     steps:
     - name: Checkout repo
       uses: actions/checkout@v4
 
     - name: Install required packages
       run: apt update && apt install -y gperf zlib1g-dev cmake ninja-build
 
+    - name: "Git config safe.directory for codeql"
+      run: git config --global --add safe.directory /__w/AtomVM/AtomVM
+
+    - name: "Initialize CodeQL"
+      uses: github/codeql-action/init@v3
+      with:
+        languages: ${{matrix.language}}
+        mode: manual
+        queries: ${{matrix.query}}
+
     - name: Compile AtomVM and test modules
       run: |
         set -e
@@ -49,6 +71,9 @@ jobs:
         # test_eavmlib does not work with wasm due to http + ssl test
         ninja AtomVM atomvmlib test_alisp hello_world run_script call_cast html5_events wasm_webserver
 
+    - name: "Perform CodeQL Analysis"
+      uses: github/codeql-action/analyze@v3
+
     - name: Upload AtomVM and test modules
       uses: actions/upload-artifact@v4
       with:
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -10,6 +10,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 - Added the ability to run beams from the CLI for Generic Unix platform (it was already possible with nodejs and emscripten).
 - Added preliminary support for ESP32P4 (no networking support yet).
+- CodeQL action runs on all platforms
 
 ### Fixed
 
