-
-
Notifications
You must be signed in to change notification settings - Fork 1
142 lines (118 loc) · 3.52 KB
/
workflow-common-codeql.yml
File metadata and controls
142 lines (118 loc) · 3.52 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
name: Common CodeQL Analysis
permissions:
security-events: write
contents: read
packages: read
actions: read
on:
workflow_call:
inputs:
dotnetVersions:
type: string
default: |
8.0.x
9.0.x
10.0.x
description: 'Newline-separated list of .NET SDK versions'
srcFolder:
type: string
default: 'src'
description: 'Folder containing the solution'
solutionFile:
type: string
default: ''
description: 'Solution file relative to srcFolder'
configuration:
type: string
default: 'Release'
description: 'Build configuration'
installWorkloads:
type: boolean
default: false
description: 'Run workload restore before build'
analyzeCSharp:
type: boolean
default: true
description: 'Run CodeQL C# analysis with manual build'
csharpRunsOn:
type: string
default: 'windows-latest'
description: 'Runner for C# analysis (use windows-latest for projects with Windows-specific targets)'
analyzeActions:
type: boolean
default: true
description: 'Run CodeQL GitHub Actions analysis'
analyzeJavaScript:
type: boolean
default: false
description: 'Run CodeQL JavaScript/TypeScript analysis'
jobs:
analyze-csharp:
name: Analyze C#
if: inputs.analyzeCSharp
runs-on: ${{ inputs.csharpRunsOn }}
env:
DOTNET_CLI_WORKLOAD_UPDATE_NOTIFY_DISABLE: 1
steps:
- name: Checkout repository
uses: actions/checkout@v6
with:
fetch-depth: 0
lfs: true
- name: Setup .NET Environment
uses: reactiveui/actions-common/.github/actions/dotnet-environment@main
with:
dotnet-versions: ${{ inputs.dotnetVersions }}
src-folder: ${{ inputs.srcFolder }}
solution-file: ${{ inputs.solutionFile }}
install-workloads: ${{ inputs.installWorkloads && 'true' || 'false' }}
use-nbgv: 'false'
- name: Initialize CodeQL
uses: github/codeql-action/init@v4
with:
languages: csharp
build-mode: manual
queries: security-extended
- name: Build
uses: reactiveui/actions-common/.github/actions/dotnet-build@main
with:
configuration: ${{ inputs.configuration }}
src-folder: ${{ inputs.srcFolder }}
solution-file: ${{ inputs.solutionFile }}
create-packages: 'false'
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v4
with:
category: "/language:csharp"
analyze-actions:
name: Analyze GitHub Actions
if: inputs.analyzeActions
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v6
- name: Initialize CodeQL
uses: github/codeql-action/init@v4
with:
languages: actions
queries: security-extended
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v4
with:
category: "/language:actions"
analyze-javascript:
name: Analyze JavaScript
if: inputs.analyzeJavaScript
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v6
- name: Initialize CodeQL
uses: github/codeql-action/init@v4
with:
languages: javascript-typescript
queries: security-extended
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v4
with:
category: "/language:javascript-typescript"