.github/workflows/code-analysis.yml
name: Code Analysis
on:
workflow_dispatch:
push:
paths-ignore:
- '*'
- '**/**'
- '!.github/workflows/code-analysis.yml'
- '!codecov.yml'
- '!Gemfile'
- '!scripts/install_dependencies.sh'
- '!scripts/helper_functions.sh'
- '!scripts/compile_native.sh'
- '!scripts/test/**'
- '!app/third_party/conan/Native/**'
- '!app/third_party/conan/Android/**'
- '!**/CMakeLists*'
- '!**/*.java*'
- '!**/*.kt*'
- '!**/*.c*'
- '!**/*.h'
- '!**/*.hpp'
- '!**/*gradle*'
defaults:
run:
shell: sh
working-directory: .
concurrency:
group: ${{ github.workflow }} ${{ github.ref }}
cancel-in-progress: true
# Default environment variables.
env:
GITHUB_STEP_TIMEOUT_SMALL: 4
GITHUB_STEP_TIMEOUT_MEDIUM: 10
GITHUB_STEP_TIMEOUT_LONG: 20
jobs:
Build:
if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
strategy:
fail-fast: false
matrix:
# Override automatic language detection by changing the below list
# Supported options are ['cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby', 'swift']
language: ['cpp', 'java']
host_os: ['ubuntu-latest']
# Learn more...
# https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#overriding-automatic-language-detection
name: Analyze ${{ matrix.language }} (${{ matrix.host_os }})
runs-on: ${{ matrix.host_os }}
timeout-minutes: 360
steps:
- name: Checkout
timeout-minutes: ${{ fromJSON(env.GITHUB_STEP_TIMEOUT_SMALL) }}
if: success()
uses: actions/checkout@v4
- name: Set up JDK
timeout-minutes: ${{ fromJSON(env.GITHUB_STEP_TIMEOUT_SMALL) }}
if: success() && matrix.language == 'java'
uses: actions/setup-java@v4
with:
# Check available parameters in: https://github.com/actions/setup-java/blob/main/action.yml
java-version: 21
distribution: zulu
java-package: jdk
architecture: x64
check-latest: false
server-id: github
server-username: GITHUB_ACTOR
server-password: GITHUB_TOKEN
settings-path: ~/.gradle
overwrite-settings: true
gpg-private-key: ''
gpg-passphrase: GPG_PASSPHRASE
cache: gradle
cache-dependency-path: '**/build.gradle'
- name: Check available Android versions
timeout-minutes: ${{ fromJSON(env.GITHUB_STEP_TIMEOUT_SMALL) }}
if: success() && matrix.language == 'java' && !startsWith(matrix.host_os, 'windows')
working-directory: .
run: |
echo 'Available Android versions:';
du -h -d 1 ${ANDROID_HOME}/ndk;
du -h -d 1 ${ANDROID_HOME}/cmake || true;
du -h -d 1 ${ANDROID_HOME}/build-tools;
ls -lahp ${ANDROID_HOME}/platforms;
ls -lahp ${HOME};
# Initializes the CodeQL tools for scanning.
# Valid inputs are ['tools', 'languages', 'token', 'matrix', 'config-file', 'queries']
# Queries: must be a built-in suite (security-extended or security-and-quality),
# a relative path, or be of the form "owner/repo[/path]@ref"
- name: Initialize CodeQL
timeout-minutes: ${{ fromJSON(env.GITHUB_STEP_TIMEOUT_SMALL) }}
if: success()
uses: github/codeql-action/init@v3
with:
# Check available parameters in: https://github.com/github/codeql-action/blob/main/init/action.yml
languages: ${{ matrix.language }}
token: ${{ github.token }}
matrix: ${{ toJson(matrix) }}
config-file: .github/codeql/codeql-config.yml
queries: +security-and-quality
source-root: .
debug: false
packs: codeql/cpp-queries,codeql/java-queries,codeql/ruby-queries
- name: Set Qt CPU Architecture (Windows & MacOS)
id: set-cpu-arch
timeout-minutes: ${{ fromJSON(env.GITHUB_STEP_TIMEOUT_SMALL) }}
if: success() && (startsWith(matrix.host_os, 'windows') || startsWith(matrix.host_os, 'macos'))
run: |
if [ ${{ startsWith(matrix.host_os, 'windows') }} = true ]; then
echo 'qt_host=windows' >> "${GITHUB_ENV}";
echo 'qt_arch=win64_msvc2019_64' >> "${GITHUB_ENV}";
elif [ ${{ startsWith(matrix.host_os, 'macos') }} = true ]; then
echo 'qt_host=mac' >> "${GITHUB_ENV}";
echo 'qt_arch=clang_64' >> "${GITHUB_ENV}";
else
exit 1;
fi
- name: Install Qt (Windows & MacOS)
timeout-minutes: ${{ fromJSON(env.GITHUB_STEP_TIMEOUT_MEDIUM) }}
if: success() && (startsWith(matrix.host_os, 'windows') || startsWith(matrix.host_os, 'macos'))
uses: jurplel/install-qt-action@v4
# Download Qt from: https://download.qt.io/online/qtsdkrepository/
with:
# Check available parameters in: https://github.com/jurplel/install-qt-action/blob/master/action.yml
version: '5.15.2' # Also update: app/CMakeLists.txt
host: '${{ env.qt_host }}'
target: 'desktop'
arch: '${{ env.qt_arch }}'
dir: '${{ github.workspace }}'
install-deps: 'false'
modules: ''
cache: 'true'
cache-key-prefix: '${{ env.qt_host }}-${{ env.qt_arch }}'
setup-python: 'true'
set-env: 'true'
tools-only: 'false'
aqtversion: '==3.1.*'
py7zrversion: '==0.20.*'
extra: '--external 7z'
- name: Install dependencies
timeout-minutes: ${{ fromJSON(env.GITHUB_STEP_TIMEOUT_SMALL) }}
if: success() && matrix.language == 'cpp'
working-directory: .
run: |
sh scripts/install_dependencies.sh;
- name: Setup Ruby, JRuby and TruffleRuby
timeout-minutes: ${{ fromJSON(env.GITHUB_STEP_TIMEOUT_SMALL) }}
if: success() && matrix.language == 'cpp'
uses: ruby/setup-ruby@v1
with:
# Check available parameters in: https://github.com/ruby/setup-ruby/blob/master/action.yml
ruby-version: '3.3'
bundler-cache: false
cache-version: 0
- name: Install Ruby dependencies
timeout-minutes: ${{ fromJSON(env.GITHUB_STEP_TIMEOUT_SMALL) }}
if: success() && matrix.language == 'cpp'
run: |
bundle config set path.system true;
bundle install;
# Only execute shell unit tests for 'cpp' language because it doesn't matter in which build
# these tests are executed.
- name: Code Coverage Shell script tests
timeout-minutes: ${{ fromJSON(env.GITHUB_STEP_TIMEOUT_SMALL) }}
if: success() && matrix.language == 'cpp'
working-directory: .
run: |
bashcov scripts/test/helper_functions.sh;
ls -lahp coverage;
- name: Check code coverage report
timeout-minutes: ${{ fromJSON(env.GITHUB_STEP_TIMEOUT_SMALL) }}
if: success() && matrix.language == 'cpp'
run: |
# shellcheck disable=SC1091
. scripts/helper_functions.sh && checkPathExists coverage coverage.xml;
- name: Upload reports to Codecov
timeout-minutes: ${{ fromJSON(env.GITHUB_STEP_TIMEOUT_SMALL) }}
if: success() && matrix.language == 'cpp'
uses: codecov/codecov-action@v5
with:
# Check available parameters in: https://github.com/codecov/codecov-action/blob/main/action.yml
token: ${{ secrets.CODECOV_TOKEN }}
directory: 'coverage'
files: coverage/coverage.xml
- name: Download Android CMake
timeout-minutes: ${{ fromJSON(env.GITHUB_STEP_TIMEOUT_SMALL) }}
if: success() && !startsWith(inputs.host_os, 'windows') && matrix.language != 'cpp'
run: |
${ANDROID_HOME}/cmdline-tools/latest/bin/sdkmanager --install 'cmake;3.31.1';
- name: Autobuild
timeout-minutes: ${{ fromJSON(env.GITHUB_STEP_TIMEOUT_LONG) }}
if: success() && matrix.language != 'cpp'
uses: github/codeql-action/autobuild@v3
continue-on-error: false
env:
MAKEFLAGS: "-j$(($(nproc --all) * 2 - 1))"
GRADLE_OPTS: '-Xms8G -Xmx8G -XX:ActiveProcessorCount=5'
with:
# Check available parameters in: https://github.com/github/codeql-action/blob/main/autobuild/action.yml
token: ${{ github.token }}
matrix: ${{ toJson(matrix) }}
working-directory: ${{ github.workspace }}
- name: Validate Gradle Wrapper
timeout-minutes: ${{ fromJSON(env.GITHUB_STEP_TIMEOUT_SMALL) }}
if: success() && matrix.language == 'java'
uses: gradle/actions/wrapper-validation@v4
with:
# Check available parameters in: https://github.com/gradle/actions/blob/main/wrapper-validation/action.yml
min-wrapper-count: 1
allow-snapshots: false
allow-checksums: ''
- name: Set C++ compiler
timeout-minutes: ${{ fromJSON(env.GITHUB_STEP_TIMEOUT_SMALL) }}
if: success() && matrix.language == 'cpp'
working-directory: .
run: |
if [ ${{ startsWith(matrix.host_os, 'windows') }} = true ]; then
echo 'compiler=cl' >> "${GITHUB_ENV}";
else
echo 'compiler=g++' >> "${GITHUB_ENV}";
fi
- name: Build C++
timeout-minutes: ${{ fromJSON(env.GITHUB_STEP_TIMEOUT_MEDIUM) }}
if: success() && matrix.language == 'cpp'
working-directory: .
run: |
sh scripts/compile_native.sh -t debug -c ${{ env.compiler }} -r yes;
- name: Perform CodeQL Analysis
timeout-minutes: ${{ fromJSON(env.GITHUB_STEP_TIMEOUT_MEDIUM) }}
if: success()
uses: github/codeql-action/analyze@v3
with:
# Check available parameters in: https://github.com/github/codeql-action/blob/main/analyze/action.yml
check_name: CodeQL
output: codeql-results
upload: never
# Check cleanup-level in: https://codeql.github.com/docs/codeql-cli/manual/database-cleanup/
cleanup-level: brutal
skip-queries: false
checkout_path: ${{ github.workspace }}
# ref: ${GITHUB_REF} does not match /^refs\/(heads|pull|tags)\/.*$/.
# sha: ${GITHUB_SHA} does not match /^[0-9a-fA-F]+$/.
# category: String used by Code Scanning for matching the analyses. Not required.
# category: CodeQL
upload-database: true
wait-for-processing: true
token: ${{ github.token }}
matrix: ${{ toJson(matrix) }}
- name: Validate CodeQL output was generated
timeout-minutes: ${{ fromJSON(env.GITHUB_STEP_TIMEOUT_SMALL) }}
if: success()
working-directory: .
run: |
ls -lahp ./codeql-results;
ls -lahp ./codeql-results/${{ matrix.language }}.sarif;
- name: Filter SARIF
timeout-minutes: ${{ fromJSON(env.GITHUB_STEP_TIMEOUT_SMALL) }}
if: success()
uses: advanced-security/filter-sarif@v1
with:
# Check available parameters in: https://github.com/advanced-security/filter-sarif/blob/main/action.yml
patterns: |
-**/*third_party*/**/*:**
input: ./codeql-results/${{ matrix.language }}.sarif
output: ./codeql-results/${{ matrix.language }}-filtered.sarif
- name: Validate CodeQL output was generated
timeout-minutes: ${{ fromJSON(env.GITHUB_STEP_TIMEOUT_SMALL) }}
if: success()
working-directory: .
run: |
ls -lahp ./codeql-results;
ls -lahp ./codeql-results/${{ matrix.language }}.sarif;
ls -lahp ./codeql-results/${{ matrix.language }}-filtered.sarif;
- name: Upload SARIF
timeout-minutes: ${{ fromJSON(env.GITHUB_STEP_TIMEOUT_SMALL) }}
if: success()
uses: github/codeql-action/upload-sarif@v3
with:
# Check available parameters in: https://github.com/github/codeql-action/blob/main/upload-sarif/action.yml
sarif_file: ./codeql-results/${{ matrix.language }}-filtered.sarif
- name: Upload reports as artifact
timeout-minutes: ${{ fromJSON(env.GITHUB_STEP_TIMEOUT_SMALL) }}
if: success()
uses: actions/upload-artifact@v4
with:
# Check available parameters in: https://github.com/actions/upload-artifact/blob/main/action.yml
name: sarif_${{ matrix.language }}-artifacts
path: codeql-results
if-no-files-found: error
retention-days: 90