Merge pull request #3124 from GaijinEntertainment/bbatkin/jit-paralle… #10
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: "CodeQL" | |
| # CodeQL static analysis over the C++ surface (src, include, modules, | |
| # tests-cpp). build-mode none — no traced build, so a run costs minutes, not a | |
| # full build per PR; switch to a built mode only if finding quality ever | |
| # warrants it. PR checks flag NEW alerts only; the pre-existing backlog lives | |
| # in the Security tab and does not gate PRs. .das files are invisible to | |
| # CodeQL — that surface is covered by the in-tree lint. | |
| on: | |
| push: | |
| branches: [master] | |
| paths: | |
| - 'src/**' | |
| - 'include/**' | |
| - 'modules/**' | |
| - 'tests-cpp/**' | |
| - '.github/workflows/codeql.yml' | |
| pull_request: | |
| branches: [master] | |
| paths: | |
| - 'src/**' | |
| - 'include/**' | |
| - 'modules/**' | |
| - 'tests-cpp/**' | |
| - '.github/workflows/codeql.yml' | |
| schedule: | |
| # weekly full refresh keeps the master baseline current even when no | |
| # C++-touching push happens (PR alert diffing compares against it) | |
| - cron: '20 3 * * 1' | |
| workflow_dispatch: | |
| jobs: | |
| analyze: | |
| name: analyze (c-cpp) | |
| # fork PRs get a read-only GITHUB_TOKEN, so the SARIF upload would fail — | |
| # skip them; the post-merge master push scans their code anyway | |
| if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository | |
| runs-on: ubuntu-latest-fat | |
| timeout-minutes: 90 | |
| permissions: | |
| actions: read | |
| contents: read | |
| security-events: write | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/init@v3 | |
| with: | |
| languages: c-cpp | |
| build-mode: none | |
| # vendored code — findings there are not actionable here | |
| config: | | |
| paths-ignore: | |
| - 3rdparty | |
| - tests-cpp/3rdparty | |
| # build-mode none does NOT honor the init paths-ignore for C/C++ results | |
| # (a vendored alert under tests-cpp/3rdparty survived two master scans with | |
| # that config). Filter the SARIF post-analysis instead, then upload the | |
| # filtered file. Dropped results auto-close their alerts on the next scan. | |
| # src/parser generated lexers are deliberately NOT excluded — our rule | |
| # bodies live in them (a real OOB write hid there). | |
| - name: Perform CodeQL Analysis | |
| uses: github/codeql-action/analyze@v3 | |
| with: | |
| category: "/language:c-cpp" | |
| upload: false | |
| output: sarif-results | |
| - name: Filter vendored / generated paths from SARIF | |
| uses: advanced-security/filter-sarif@v1 | |
| with: | |
| patterns: | | |
| -**/3rdparty/** | |
| -**/stb_*.h | |
| -modules/dasSQLITE/sqlite/** | |
| -modules/dasMinfft/minfft/** | |
| -utils/dasFormatter/ds_parser.cpp | |
| input: sarif-results/cpp.sarif | |
| output: sarif-results/cpp.sarif | |
| - name: Upload filtered SARIF | |
| uses: github/codeql-action/upload-sarif@v3 | |
| with: | |
| sarif_file: sarif-results/cpp.sarif | |
| category: "/language:c-cpp" |