From 0015800f9362be70ea85f1a25c6c44acffe9a56f Mon Sep 17 00:00:00 2001 From: Trask Stalnaker Date: Wed, 5 Feb 2025 14:01:23 -0800 Subject: [PATCH 1/6] Run CodeQL on PRs --- .github/workflows/codeql-daily.yml | 44 ----------------------- .github/workflows/codeql.yml | 56 ++++++++++++++++++++++++++++++ 2 files changed, 56 insertions(+), 44 deletions(-) delete mode 100644 .github/workflows/codeql-daily.yml create mode 100644 .github/workflows/codeql.yml diff --git a/.github/workflows/codeql-daily.yml b/.github/workflows/codeql-daily.yml deleted file mode 100644 index 3331db67be3..00000000000 --- a/.github/workflows/codeql-daily.yml +++ /dev/null @@ -1,44 +0,0 @@ -name: CodeQL (daily) - -on: - schedule: - # Daily at 01:30 (UTC) - - cron: '30 1 * * *' - workflow_dispatch: - -jobs: - analyze: - runs-on: ubuntu-latest - - steps: - - uses: actions/checkout@v4 - - - name: Set up Java 17 - uses: actions/setup-java@v4 - with: - distribution: temurin - java-version: 17 - - - name: Initialize CodeQL - uses: github/codeql-action/init@v3 - with: - languages: java - # using "latest" helps to keep up with the latest Kotlin support - # see https://github.com/github/codeql-action/issues/1555#issuecomment-1452228433 - tools: latest - - - name: Set up gradle - uses: gradle/actions/setup-gradle@v4 - - name: Assemble - # skipping build cache is needed so that all modules will be analyzed - run: ./gradlew assemble --no-build-cache - - - name: Perform CodeQL analysis - uses: github/codeql-action/analyze@v3 - - open-issue-on-failure: - # open an issue on failure because it can be easy to miss CI failure notifications - needs: - - analyze - if: failure() && github.run_attempt == 1 - uses: ./.github/workflows/reusable-open-issue-on-failure.yml diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 00000000000..5b97d2f8b6b --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,56 @@ +name: CodeQL + +on: + pull_request: + branches: + - main + - release/* + - v0.* + - v1.* + push: + branches: + - main + - release/* + - v0.* + - v1.* + schedule: + - cron: "29 13 * * 2" # weekly at 13:29 UTC on Tuesday + +permissions: + contents: read + +jobs: + analyze: + permissions: + contents: read + actions: read # for github/codeql-action/init to get workflow details + security-events: write # for github/codeql-action/analyze to upload SARIF results + + steps: + - uses: actions/checkout@v4 + + - name: Set up Java 17 + uses: actions/setup-java@v4 + with: + distribution: temurin + java-version: 17 + + - name: Set up gradle + uses: gradle/actions/setup-gradle@v4 + + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: java, actions + # using "latest" helps to keep up with the latest Kotlin support + # see https://github.com/github/codeql-action/issues/1555#issuecomment-1452228433 + tools: latest + + - name: Assemble + # --no-build-cache is required for codeql to analyze all modules + # --no-daemon is required for codeql to observe the compilation + # (see https://docs.github.com/en/code-security/codeql-cli/getting-started-with-the-codeql-cli/preparing-your-code-for-codeql-analysis#specifying-build-commands) + run: ./gradlew assemble --no-build-cache + + - name: Perform CodeQL analysis + uses: github/codeql-action/analyze@v3 From 3858e7cd607801ce92d77af13680f06ef7226682 Mon Sep 17 00:00:00 2001 From: Trask Stalnaker Date: Wed, 5 Feb 2025 14:09:50 -0800 Subject: [PATCH 2/6] and benchmarks branch --- .github/workflows/codeql.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 5b97d2f8b6b..914fe086830 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -7,12 +7,14 @@ on: - release/* - v0.* - v1.* + - benchmarks push: branches: - main - release/* - v0.* - v1.* + - benchmarks schedule: - cron: "29 13 * * 2" # weekly at 13:29 UTC on Tuesday From 5ed62c40d481fa7d3c86fab7e8e7e48ff1454592 Mon Sep 17 00:00:00 2001 From: Trask Stalnaker Date: Wed, 5 Feb 2025 15:36:39 -0800 Subject: [PATCH 3/6] no-daemon --- .github/workflows/codeql.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 914fe086830..bfd4dae50e8 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -52,7 +52,7 @@ jobs: # --no-build-cache is required for codeql to analyze all modules # --no-daemon is required for codeql to observe the compilation # (see https://docs.github.com/en/code-security/codeql-cli/getting-started-with-the-codeql-cli/preparing-your-code-for-codeql-analysis#specifying-build-commands) - run: ./gradlew assemble --no-build-cache + run: ./gradlew assemble --no-build-cache --no-daemon - name: Perform CodeQL analysis uses: github/codeql-action/analyze@v3 From 0ae460506243c1336d937ac85a808e96936e794f Mon Sep 17 00:00:00 2001 From: Trask Stalnaker Date: Wed, 5 Feb 2025 15:48:14 -0800 Subject: [PATCH 4/6] fix --- .github/workflows/codeql.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index bfd4dae50e8..ba0fecc90d7 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -27,7 +27,7 @@ jobs: contents: read actions: read # for github/codeql-action/init to get workflow details security-events: write # for github/codeql-action/analyze to upload SARIF results - + runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 From d408830ed32ae61edd764b7ffa8b115a8bb51b3e Mon Sep 17 00:00:00 2001 From: Trask Stalnaker Date: Wed, 5 Feb 2025 18:23:21 -0800 Subject: [PATCH 5/6] hashes --- .github/workflows/codeql.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index ba0fecc90d7..a7d4ec21ef6 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -29,19 +29,19 @@ jobs: security-events: write # for github/codeql-action/analyze to upload SARIF results runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Set up Java 17 - uses: actions/setup-java@v4 + uses: actions/setup-java@3a4f6e1af504cf6a31855fa899c6aa5355ba6c12 # v4.7.0 with: distribution: temurin java-version: 17 - name: Set up gradle - uses: gradle/actions/setup-gradle@v4 + uses: gradle/actions/setup-gradle@94baf225fe0a508e581a564467443d0e2379123b # v4.3.0 - name: Initialize CodeQL - uses: github/codeql-action/init@v3 + uses: github/codeql-action/init@dd746615b3b9d728a6a37ca2045b68ca76d4841a # v3.28.8 with: languages: java, actions # using "latest" helps to keep up with the latest Kotlin support @@ -55,4 +55,4 @@ jobs: run: ./gradlew assemble --no-build-cache --no-daemon - name: Perform CodeQL analysis - uses: github/codeql-action/analyze@v3 + uses: github/codeql-action/analyze@dd746615b3b9d728a6a37ca2045b68ca76d4841a # v3.28.8 From 48cb63be039665f74cee469fd6b04a5c7edca04e Mon Sep 17 00:00:00 2001 From: Trask Stalnaker Date: Fri, 7 Feb 2025 06:49:26 -0800 Subject: [PATCH 6/6] Apply suggestions from code review --- .github/workflows/codeql.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index a7d4ec21ef6..677f40b48ae 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -5,15 +5,11 @@ on: branches: - main - release/* - - v0.* - - v1.* - benchmarks push: branches: - main - release/* - - v0.* - - v1.* - benchmarks schedule: - cron: "29 13 * * 2" # weekly at 13:29 UTC on Tuesday