-
Notifications
You must be signed in to change notification settings - Fork 0
109 lines (102 loc) · 4.36 KB
/
codeql.yml
File metadata and controls
109 lines (102 loc) · 4.36 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
# Derived from https://github.com/route06/actions/blob/main/.github/workflows/codeql.yml
# Copyright (c) 2024 ROUTE06, Inc.
# Licensed under the MIT License.
name: CodeQL
on:
workflow_call:
jobs:
changes:
name: Filter Paths
runs-on: ubuntu-slim
timeout-minutes: 10
permissions:
contents: read
pull-requests: read
outputs:
languages: ${{ steps.format.outputs.languages }}
steps:
- name: Checkout repository
uses: actions/checkout@v6
# GitHub Actions組み込みのpathsによるフィルタでは、そのymlで実行する複数のjobそれぞれでpathsによる分岐ができない
# そのため https://github.com/dorny/paths-filter を使い、フィルタのjob → 各jobの順で実行することで複数jobの分岐を実現する
- name: Determine languages
id: determine
uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1
with:
# ここで指定したkeyがoutputsに出力される
#
# 拡張子の一覧は以下を参考にしている
# https://codeql.github.com/docs/codeql-overview/supported-languages-and-frameworks/#languages-and-compilers
#
# JavascriptとTypeScriptの拡張子は意図的に同じキーにまとめている
# これはCodeQL内部で解析対象として、これらを同一に扱っていることに由来する
# https://docs.github.com/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#changing-the-languages-that-are-analyzed
filters: |
actions:
- added|modified: '.github/workflows/*.yml'
- added|modified: '.github/workflows/*.yaml'
- added|modified: '**/action.yml'
- added|modified: '**/action.yaml'
go:
- added|modified: '**/*.go'
javascript:
- added|modified: '**/*.js'
- added|modified: '**/*.jsx'
- added|modified: '**/*.mjs'
- added|modified: '**/*.es'
- added|modified: '**/*.es6'
- added|modified: '**/*.htm'
- added|modified: '**/*.html'
- added|modified: '**/*.xhtm'
- added|modified: '**/*.xhtml'
- added|modified: '**/*.vue'
- added|modified: '**/*.hbs'
- added|modified: '**/*.ejs'
- added|modified: '**/*.njk'
# TODO: YAML のみのリポジトリで JavaScript 解析が誤実行される問題の暫定対応
# 本来 CodeQL は JSON/YAML も JavaScript 対象とするが、一旦コメントアウト
# - added|modified: '**/*.json'
# - added|modified: '**/*.yaml'
# - added|modified: '**/*.yml'
- added|modified: '**/*.raml'
- added|modified: '**/*.xml'
- added|modified: '**/*.ts'
- added|modified: '**/*.tsx'
- added|modified: '**/*.mts'
- added|modified: '**/*.cts'
python:
- added|modified: '**/*.py'
ruby:
- added|modified: '**/*.rb'
- added|modified: '**/*.erb'
- added|modified: '**/*.gemspec'
- added|modified: '**/Gemfile'
- name: Format filtered languages
id: format
uses: actions/github-script@v8
with:
script: |
const outputs = {
actions: ${{ steps.determine.outputs.actions }},
go: ${{ steps.determine.outputs.go }},
javascript: ${{ steps.determine.outputs.javascript }},
python: ${{ steps.determine.outputs.python }},
ruby: ${{ steps.determine.outputs.ruby }},
};
const languages = Object.keys(outputs)
.filter(lang => outputs[lang]);
core.setOutput('languages', JSON.stringify(languages));
languages:
needs: changes
if: ${{ needs.changes.outputs.languages != '[]' }}
strategy:
fail-fast: false
matrix:
language: ${{ fromJson(needs.changes.outputs.languages) }}
uses: ./.github/workflows/codeql_core.yml
permissions:
actions: read
contents: read
security-events: write
with:
language: ${{ matrix.language }}