Add some Regex queries #217
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This usage of CodeQL CLI is permitted by https://securitylab.github.com/tools/codeql/license | |
| # > Test CodeQL queries that are released under an OSI-approved Licence to confirm that new versions of those queries continue to find the right vulnerabilities. | |
| name: CodeQL checks | |
| # workflow_dispatch to support manually triggering workflow | |
| on: [push, pull_request, workflow_dispatch] | |
| jobs: | |
| codeql-cli: | |
| name: Run CodeQL CLI checks | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v3 | |
| with: | |
| # Fetch the codeql submodule | |
| submodules: recursive | |
| - name: Get CodeQL submodule version | |
| id: codeql-submodule-version | |
| run: | | |
| # Switch to submodule and get Git tag | |
| cd codeql | |
| # Fetch tags (and only tags), see https://stackoverflow.com/a/20608181 | |
| git fetch origin 'refs/tags/*:refs/tags/*' --quiet | |
| tag=$(git describe --exact-match --exclude "codeql-cli/latest") | |
| # Remove 'codeql-cli/' prefix | |
| version="${tag#codeql-cli/}" | |
| echo "version=${version}" >> $GITHUB_OUTPUT | |
| echo "Submodule version: ${version}" | |
| # Based on https://github.com/github/codeql/blob/45c942866830bec3463598774012a33a2cfaff96/.github/workflows/query-list.yml | |
| - name: Download CodeQL CLI | |
| uses: dsaltares/[email protected] | |
| with: | |
| repo: "github/codeql-cli-binaries" | |
| version: ${{ format('tags/{0}', steps.codeql-submodule-version.outputs.version) }} | |
| file: "codeql-linux64.zip" | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Unzip CodeQL CLI | |
| # -q to run quietly | |
| run: unzip -q -d codeql-cli codeql-linux64.zip | |
| - name: Print CodeQL CLI version | |
| id: codeql-version | |
| run: | | |
| ./codeql-cli/codeql/codeql version --format=terse | |
| echo "version=$(./codeql-cli/codeql/codeql version --format=terse)" >> $GITHUB_OUTPUT | |
| # TODO: Once available, change this to update the cache, see https://github.com/actions/cache/issues/342 | |
| # For now include the CodeQL CLI version in the cache key to invalidate the cache, see https://github.com/github/vscode-codeql/issues/730#issuecomment-764855019 | |
| - name: Cache CodeQL compilation cache | |
| uses: actions/cache@v3 | |
| with: | |
| path: | | |
| ~/.codeql | |
| key: ${{ runner.os }}-codeql-compilation-cache-${{ steps.codeql-version.outputs.version }}-${{ github.ref }} | |
| restore-keys: | | |
| ${{ runner.os }}-codeql-compilation-cache-${{ steps.codeql-version.outputs.version }}- | |
| # Compile all queries to detect errors in queries even without corresponding tests | |
| - name: Compile queries | |
| # Increase available RAM and use as many threads as there are cores | |
| # Don't use --check-only but perform actual compilation; with cache action above this is a lot faster | |
| run: ./codeql-cli/codeql/codeql query compile --search-path=codeql --ram 4096 --threads=0 --keep-going ./codeql-custom-queries-java/queries | |
| - name: Run query tests | |
| # Increase available RAM and use as many threads as there are cores | |
| run: ./codeql-cli/codeql/codeql test run "--search-path=codeql:./codeql-custom-queries-java/queries" --ram 4096 --threads=0 ./codeql-custom-queries-java/tests |