tm4e/.github/workflows/codeql.yml at main · eclipse-tm4e/tm4e · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
# https://docs.github.com/en/actions/reference/workflows-and-actions/workflow-syntax
name: CodeQL

on:  # https://docs.github.com/en/actions/reference/workflows-and-actions/events-that-trigger-workflows
  schedule:
    # https://docs.github.com/en/actions/reference/workflows-and-actions/events-that-trigger-workflows#schedule
    - cron: "30 18 * * 1"  # Mondays 18:30 UTC
  push:
    branches: [ "main" ]
    paths-ignore:
    - '**/*.md'
    - '**/*.png'
    - '**/.project'
    - '**/.settings/*.prefs'
    - '.gitignore'
    - '.actrc'
    - 'Jenkinsfile'
  pull_request:
    branches: [ "main" ]
    paths-ignore:
    - '**/*.md'
    - '**/*.png'
    - '**/.project'
    - '**/.settings/*.prefs'
    - '.gitignore'
    - '.actrc'
    - 'Jenkinsfile'
  workflow_dispatch:
    # https://docs.github.com/en/actions/reference/workflows-and-actions/events-that-trigger-workflows#workflow_dispatch


defaults:
  run:
    shell: bash


env:
  JAVA_VERSION: 21


jobs:

  ###########################################################
  analyze:
  ###########################################################

    concurrency:
      group: codeql-${{ github.workflow }}-${{ github.ref }}-${{ matrix.language }}
      cancel-in-progress: true

    strategy:
      fail-fast: false
      matrix:
        include:
        # build-mode: https://github.com/github/codeql-action#build-modes
        - language: actions
          build-mode: none
        - language: java
          build-mode: manual
        - language: javascript
          build-mode: none
        - language: python
          build-mode: none

    name: Analyze (${{ matrix.language }})
    runs-on: ubuntu-latest
    permissions:
      # required for all workflows
      security-events: write

      # required to fetch internal or private CodeQL packs
      packages: read

      # only required for workflows in private repositories
      actions: read
      contents: read

    timeout-minutes: 15

    steps:
    - name: "Show: GitHub context"
      env:
        GITHUB_CONTEXT: ${{ toJSON(github) }}
      run: echo $GITHUB_CONTEXT


    - name: "Show: environment variables"
      run: env | sort


    - name: Git Checkout
      uses: actions/checkout@v6  # https://github.com/actions/checkout


    - name: "Install: JDK 21 for Compilation ☕"
      uses: actions/setup-java@v5  # https://github.com/actions/setup-java
      if: matrix.language == 'java'
      with:
        distribution: temurin
        java-version: 21


    - name: "Install: JDK 25 for Maven/Tycho ☕"
      uses: actions/setup-java@v5  # https://github.com/actions/setup-java
      if: matrix.language == 'java'
      with:
        distribution: temurin
        java-version: 25


    - name: "Cache: Local Maven Repository"
      uses: actions/cache/restore@v5
      if: matrix.language == 'java'
      with:
        # Excluded sub directory not working https://github.com/actions/toolkit/issues/713
        path: |
          ~/.m2/repository/*
          !~/.m2/repository/.cache/tycho
          !~/.m2/repository/.meta/p2-artifacts.properties
          !~/.m2/repository/p2
          !~/.m2/repository/*SNAPSHOT*
        key: ${{ runner.os }}-${{ runner.arch }}-repo-mvn-${{ hashFiles('**/pom.xml') }}


    - name: "Cache: Local Tycho Repository"
      uses: actions/cache/restore@v5
      if: matrix.language == 'java'
      with:
        path: |
          ~/.m2/repository/.cache/tycho
          ~/.m2/repository/.meta/p2-artifacts.properties
          ~/.m2/repository/p2
        key: ${{ runner.os }}-${{ runner.arch }}-repo-tycho-${{ hashFiles('target-platforms/oldest.target') }}


    # https://docs.github.com/en/code-security/code-scanning
    - name: Initialize CodeQL
      uses: github/codeql-action/init@v4  # https://github.com/github/codeql-action
      with:
        languages: ${{ matrix.language }}
        # https://github.com/github/codeql-action#build-modes
        build-mode: ${{ matrix.build-mode }}
        # https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#using-queries-in-ql-packs
        config-file: ./.github/codeql/codeql-config.yml


    - name: "Build with Maven 🔨"
      if: matrix.language == 'java'
      run: |
        set -euo pipefail

        MAVEN_OPTS="${MAVEN_OPTS:-}"
        MAVEN_OPTS+=" -Djava.security.egd=file:/dev/./urandom" # https://stackoverflow.com/questions/58991966/what-java-security-egd-option-is-for/59097932#59097932
        MAVEN_OPTS+=" -Dorg.slf4j.simpleLogger.showDateTime=true -Dorg.slf4j.simpleLogger.dateTimeFormat=HH:mm:ss,SSS" # https://stackoverflow.com/questions/5120470/how-to-time-the-different-stages-of-maven-execution/49494561#49494561
        export MAVEN_OPTS
        echo "MAVEN_OPTS: $MAVEN_OPTS"

        ./mvnw \
          --no-transfer-progress \
          --batch-mode \
          -Dmaven.test.skip=true \
          clean verify


    - name: Perform CodeQL Analysis
      uses: github/codeql-action/analyze@v4  # https://github.com/github/codeql-action
      with:
        category: "/language:${{matrix.language}}"