|
| 1 | +# ******************************************************************************* |
| 2 | +# Copyright (c) 2026 Contributors to the Eclipse Foundation |
| 3 | +# |
| 4 | +# See the NOTICE file(s) distributed with this work for additional |
| 5 | +# information regarding copyright ownership. |
| 6 | +# |
| 7 | +# This program and the accompanying materials are made available under the |
| 8 | +# terms of the Apache License Version 2.0 which is available at |
| 9 | +# https://www.apache.org/licenses/LICENSE-2.0 |
| 10 | +# |
| 11 | +# SPDX-License-Identifier: Apache-2.0 |
| 12 | +# ******************************************************************************* |
| 13 | + |
| 14 | +name: CodeQL Static Analysis |
| 15 | + |
| 16 | +on: |
| 17 | + pull_request: |
| 18 | + types: [opened, reopened, synchronize] |
| 19 | + merge_group: |
| 20 | + types: [checks_requested] |
| 21 | + push: |
| 22 | + branches: |
| 23 | + - main |
| 24 | + workflow_dispatch: |
| 25 | + schedule: |
| 26 | + - cron: "0 6 * * 1" |
| 27 | + |
| 28 | +env: |
| 29 | + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} |
| 30 | + |
| 31 | +jobs: |
| 32 | + codeql-analysis: |
| 33 | + name: CodeQL MISRA/CERT C++ Analysis |
| 34 | + runs-on: ubuntu-latest |
| 35 | + |
| 36 | + permissions: |
| 37 | + security-events: write |
| 38 | + contents: read |
| 39 | + |
| 40 | + steps: |
| 41 | + - name: Checkout code |
| 42 | + uses: actions/checkout@v4.2.2 |
| 43 | + |
| 44 | + - name: Initialize CodeQL |
| 45 | + uses: github/codeql-action/init@v4 |
| 46 | + with: |
| 47 | + languages: cpp |
| 48 | + packs: codeql/misra-cpp-coding-standards,codeql/cert-cpp-coding-standards |
| 49 | + trap-caching: false |
| 50 | + - name: Setup Bazel |
| 51 | + uses: bazel-contrib/setup-bazel@0.15.0 |
| 52 | + with: |
| 53 | + bazelisk-version: 1.26.0 |
| 54 | + repository-cache: true |
| 55 | + bazelisk-cache: true |
| 56 | + |
| 57 | + - name: Build with Bazel (CodeQL traces compiler calls) |
| 58 | + run: | |
| 59 | + bazel build \ |
| 60 | + --lockfile_mode=error \ |
| 61 | + --config x86_64-linux \ |
| 62 | + --nouse_action_cache \ |
| 63 | + --disk_cache= \ |
| 64 | + --noremote_accept_cached \ |
| 65 | + --noremote_upload_local_results \ |
| 66 | + //... |
| 67 | +
|
| 68 | + - name: Run CodeQL analysis |
| 69 | + uses: github/codeql-action/analyze@v4 |
| 70 | + with: |
| 71 | + category: cpp-misra-cert |
| 72 | + output: _sca |
| 73 | + upload: true |
| 74 | + |
| 75 | + - name: Upload SARIF artifacts |
| 76 | + if: always() |
| 77 | + uses: actions/upload-artifact@v4 |
| 78 | + with: |
| 79 | + name: codeql-results |
| 80 | + path: _sca/ |
| 81 | + retention-days: 30 |
0 commit comments