Improve test coverage for Python support #804
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json | |
| name: "CodeQL Analysis" | |
| on: | |
| push: | |
| branches: [ main, develop ] | |
| pull_request: | |
| branches: [ main, develop ] | |
| schedule: | |
| - cron: '0 3 * * 0' # weekly (UTC) — adjust as needed | |
| workflow_dispatch: | |
| workflow_call: | |
| inputs: | |
| checkout-path: | |
| description: "Path to check out code to" | |
| required: false | |
| type: string | |
| build-path: | |
| description: "Path for build artifacts" | |
| required: false | |
| type: string | |
| language-matrix: | |
| description: "JSON array of languages to analyze" | |
| required: false | |
| type: string | |
| default: '["cpp", "python", "actions"]' | |
| pr-number: | |
| description: "PR number if run in PR context" | |
| required: false | |
| type: string | |
| pr-head-repo: | |
| description: "The full name of the PR head repository" | |
| required: false | |
| type: string | |
| pr-base-repo: | |
| description: "The full name of the PR base repository" | |
| required: false | |
| type: string | |
| permissions: | |
| actions: read | |
| contents: read | |
| security-events: write | |
| env: | |
| BUILD_TYPE: RelWithDebInfo | |
| CPP_COMPILER: g++ | |
| jobs: | |
| codeql: | |
| name: Analyze ${{ matrix.language }} with CodeQL | |
| runs-on: ubuntu-24.04 | |
| container: | |
| image: ghcr.io/framework-r-d/phlex-ci:latest | |
| env: | |
| local_checkout_path: ${{ (github.event_name == 'workflow_call' && inputs.checkout-path) || format('{0}-src', github.event.repository.name) }} | |
| local_build_path: ${{ (github.event_name == 'workflow_call' && inputs.build-path) || format('{0}-build', github.event.repository.name) }} | |
| CODEQL_EXTRACTOR_CPP_COMPILATION_DATABASE: ${{ github.workspace }}/${{ (github.event_name == 'workflow_call' && inputs.build-path) || format('{0}-build', github.event.repository.name) }}/compile_commands.json | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| language: ${{ fromJson((github.event_name == 'workflow_call' && inputs.language-matrix) || '["cpp", "python", "actions"]') }} | |
| timeout-minutes: 120 | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| path: ${{ env.local_checkout_path }} | |
| fetch-depth: 0 | |
| - name: Setup build environment | |
| uses: Framework-R-D/phlex/.github/actions/setup-build-env@main | |
| with: | |
| build-path: ${{ env.local_build_path }} | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/init@b20883b0cd1f46c72ae0ba6d1090936928f9fa30 # v4.32.0 | |
| with: | |
| languages: ${{ matrix.language }} | |
| config-file: ${{ env.local_checkout_path }}/.github/codeql/codeql-config.yml | |
| source-root: ${{ env.local_checkout_path }} | |
| build-mode: none | |
| - name: Produce compile_commands.json (C++ only) | |
| if: matrix.language == 'cpp' | |
| uses: Framework-R-D/phlex/.github/actions/configure-cmake@main | |
| with: | |
| build-type: ${{ env.BUILD_TYPE }} | |
| source-path: ${{ env.local_checkout_path }} | |
| build-path: ${{ env.local_build_path }} | |
| - name: Verify compile_commands.json (C++ only) | |
| if: matrix.language == 'cpp' | |
| run: | | |
| set -euo pipefail | |
| if [ ! -f "$CODEQL_EXTRACTOR_CPP_COMPILATION_DATABASE" ]; then | |
| echo "Expected compile_commands.json at $CODEQL_EXTRACTOR_CPP_COMPILATION_DATABASE" >&2 | |
| exit 1 | |
| fi | |
| # Run CodeQL analysis (uploads results to code scanning) | |
| - name: Perform CodeQL Analysis | |
| uses: github/codeql-action/analyze@b20883b0cd1f46c72ae0ba6d1090936928f9fa30 # v4.32.0 | |
| with: | |
| checkout_path: ${{ env.local_checkout_path }} | |
| output: results | |
| category: ${{ matrix.language }} | |
| - name: Upload SARIF results | |
| uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 | |
| with: | |
| name: codeql-sarif-${{ matrix.language }} | |
| path: results | |
| retention-days: 7 | |
| codeql-report: | |
| name: Aggregate CodeQL alerts | |
| needs: codeql | |
| runs-on: ubuntu-24.04 | |
| if: needs.codeql.result == 'success' | |
| permissions: | |
| contents: read | |
| issues: write | |
| pull-requests: write | |
| security-events: read | |
| env: | |
| CODEQL_MIN_LEVEL: warning | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| steps: | |
| - name: Set log file path | |
| id: set_log_path | |
| run: echo "path=$RUNNER_TEMP/codeql-alerts.log" >> "$GITHUB_OUTPUT" | |
| - name: Checkout repository | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| fetch-depth: 0 | |
| - name: Checkout Phlex for scripts | |
| if: github.event_name == 'workflow_call' | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| repository: Framework-R-D/phlex | |
| path: phlex | |
| fetch-depth: 0 | |
| - name: Download CodeQL SARIF artifacts | |
| uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 | |
| with: | |
| pattern: codeql-sarif-* | |
| path: sarif | |
| merge-multiple: true | |
| - name: Check CodeQL SARIF for new or resolved alerts | |
| id: check_codeql | |
| run: | | |
| set -euo pipefail | |
| ARGS=( | |
| --sarif "$GITHUB_WORKSPACE/sarif" | |
| --min-level "${CODEQL_MIN_LEVEL}" | |
| --log-path "${{ steps.set_log_path.outputs.path }}" | |
| ) | |
| PR_NUMBER="" | |
| if [ "${{ github.event_name }}" = "pull_request" ]; then | |
| PR_NUMBER="${{ github.event.pull_request.number }}" | |
| elif [ "${{ github.event_name }}" = "workflow_call" ]; then | |
| PR_NUMBER="${{ inputs.pr-number }}" | |
| fi | |
| if [ -n "$PR_NUMBER" ]; then | |
| ARGS+=(--ref "refs/pull/${PR_NUMBER}/merge") | |
| fi | |
| script_path="scripts/check_codeql_alerts.py" | |
| if [ "${{ github.event_name }}" = "workflow_call" ]; then | |
| script_path="phlex/$script_path" | |
| fi | |
| python3 "$script_path" "${ARGS[@]}" | |
| - name: Upload CodeQL alerts debug log | |
| if: always() | |
| uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 | |
| with: | |
| name: codeql-alerts-debug-log | |
| path: ${{ steps.set_log_path.outputs.path }} | |
| retention-days: 3 | |
| - name: Prepare PR comment data | |
| if: >- | |
| github.event_name == 'pull_request' && | |
| steps.check_codeql.outputs.comment_path != '' | |
| run: | | |
| mkdir -p pr_comment_data | |
| echo "${{ github.event.pull_request.number }}" > pr_comment_data/pr_number.txt | |
| cp "${{ steps.check_codeql.outputs.comment_path }}" pr_comment_data/comment_body.md | |
| - name: Upload PR comment data | |
| if: >- | |
| github.event_name == 'pull_request' && | |
| steps.check_codeql.outputs.comment_path != '' | |
| uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 | |
| with: | |
| name: codeql-pr-data | |
| path: pr_comment_data/ | |
| retention-days: 1 | |
| - name: Fail workflow due to new CodeQL alerts | |
| # Fails the check on the PR so the user sees red X | |
| if: >- | |
| github.event_name == 'pull_request' && | |
| steps.check_codeql.outputs.new_alerts == 'true' | |
| run: | | |
| echo "New CodeQL alerts detected; failing job." | |
| exit 1 |