| # |
| # Copyright (c) 2022, The OpenThread Authors. |
| # All rights reserved. |
| # |
| # Redistribution and use in source and binary forms, with or without |
| # modification, are permitted provided that the following conditions are met: |
| # 1. Redistributions of source code must retain the above copyright |
| # notice, this list of conditions and the following disclaimer. |
| # 2. Redistributions in binary form must reproduce the above copyright |
| # notice, this list of conditions and the following disclaimer in the |
| # documentation and/or other materials provided with the distribution. |
| # 3. Neither the name of the copyright holder nor the |
| # names of its contributors may be used to endorse or promote products |
| # derived from this software without specific prior written permission. |
| # |
| # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" |
| # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
| # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE |
| # ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE |
| # LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR |
| # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF |
| # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS |
| # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN |
| # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) |
| # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE |
| # POSSIBILITY OF SUCH DAMAGE. |
| # |
| |
| name: "CodeQL" |
| |
| on: |
| push: |
| branches: [ "main" ] |
| pull_request: |
| branches: [ "main" ] |
| |
| permissions: # added using https://github.com/step-security/secure-workflows |
| contents: read |
| |
| jobs: |
| analyze: |
| name: Analyze |
| runs-on: ubuntu-latest |
| permissions: |
| actions: read |
| contents: read |
| security-events: write |
| |
| strategy: |
| fail-fast: false |
| matrix: |
| language: [ 'cpp', 'python' ] |
| # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support |
| |
| steps: |
| - name: Harden Runner |
| uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0 |
| with: |
| egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs |
| |
| - name: Checkout repository |
| uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 |
| |
| - name: Bootstrap |
| run: | |
| sudo apt-get --no-install-recommends install -y ninja-build libreadline-dev libncurses-dev |
| |
| - name: Initialize CodeQL |
| uses: github/codeql-action/init@6a28655e3dcb49cb0840ea372fd6d17733edd8a4 # v2.21.8 |
| with: |
| languages: ${{ matrix.language }} |
| # If you wish to specify custom queries, you can do so here or in a config file. |
| # By default, queries listed here will override any specified in a config file. |
| # Prefix the list here with "+" to use these queries and those in the config file. |
| |
| # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs |
| # queries: security-extended,security-and-quality |
| |
| - run: | |
| ./script/test build |
| |
| - name: Perform CodeQL Analysis |
| uses: github/codeql-action/analyze@6a28655e3dcb49cb0840ea372fd6d17733edd8a4 # v2.21.8 |
| with: |
| category: "/language:${{matrix.language}}" |