From 8e1659ed3a9225823bb31e7bec8ccb94dbae8407 Mon Sep 17 00:00:00 2001 From: Ben Wibking Date: Tue, 30 Jan 2024 14:21:17 -0500 Subject: [PATCH] enable CodeQL --- .github/workflows/codeql.yml | 107 +++++++++++++++++++++ .github/workflows/codeql/codeql-config.yml | 10 ++ 2 files changed, 117 insertions(+) create mode 100644 .github/workflows/codeql.yml create mode 100644 .github/workflows/codeql/codeql-config.yml diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 000000000..9206ef893 --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,107 @@ +name: CodeQL + +on: + push: + branches: [ "development" ] + pull_request: + branches: [ "development" ] + schedule: + - cron: "27 3 * * 0" + +concurrency: + group: ${{ github.ref }}-${{ github.head_ref }}-codeql + cancel-in-progress: true + +jobs: + analyze: + if: ${{ github.repository == 'quokka-astro/quokka' || github.event_name != 'schedule' }} + name: Analyze + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + strategy: + fail-fast: false + matrix: + language: [ python, cpp ] + + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Install Packages (C++) + if: ${{ matrix.language == 'cpp' }} + run: | + sudo apt-get update + sudo apt-get install --yes cmake openmpi-bin libopenmpi-dev libhdf5-openmpi-dev + .github/workflows/dependencies/dependencies_ccache.sh + sudo ln -s /usr/local/bin/ccache /usr/local/bin/g++ + + - name: Set Up Cache + if: ${{ matrix.language == 'cpp' }} + uses: actions/cache@v4 + with: + path: ~/.cache/ccache + key: ccache-${{ github.workflow }}-${{ github.job }}-git-${{ github.sha }} + restore-keys: | + ccache-${{ github.workflow }}-${{ github.job }}-git- + + - name: Configure (C++) + if: ${{ matrix.language == 'cpp' }} + run: | + cmake -S . -B build \ + -DQUOKKA_PYTHON=OFF \ + -DCMAKE_VERBOSE_MAKEFILE=ON \ + -DCMAKE_CXX_COMPILER="/usr/local/bin/g++" + + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: ${{ matrix.language }} + queries: +security-and-quality + config-file: ./.github/workflows/codeql/codeql-config.yml + + - name: Build (py) + uses: github/codeql-action/autobuild@v3 + if: ${{ matrix.language == 'python' }} + + - name: Build (C++) + if: ${{ matrix.language == 'cpp' }} + run: | + export CCACHE_COMPRESS=1 + export CCACHE_COMPRESSLEVEL=10 + export CCACHE_MAXSIZE=30M + ccache -z + + cmake --build build -j 4 + + ccache -s + du -hs ~/.cache/ccache + + # Make sure CodeQL has something to do + touch src/main.cpp + export CCACHE_DISABLE=1 + cd build + make -j 4 + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v3 + with: + category: "/language:${{ matrix.language }}" + + save_pr_number: + if: github.event_name == 'pull_request' + runs-on: ubuntu-latest + steps: + - name: Save PR number + env: + PR_NUMBER: ${{ github.event.number }} + run: | + echo $PR_NUMBER > pr_number.txt + - uses: actions/upload-artifact@v4 + with: + name: pr_number + path: pr_number.txt + retention-days: 1 diff --git a/.github/workflows/codeql/codeql-config.yml b/.github/workflows/codeql/codeql-config.yml new file mode 100644 index 000000000..90eaf7ad5 --- /dev/null +++ b/.github/workflows/codeql/codeql-config.yml @@ -0,0 +1,10 @@ +query-filters: + - exclude: + id: + - cpp/commented-out-code + - cpp/complex-condition + - cpp/equality-on-floats + - cpp/fixme-comment + - cpp/path-injection + - cpp/poorly-documented-function + - cpp/use-of-goto