Refactor CodeQL workflows

robomics · robomics · commit 0b764e8b0110 · 2025-02-03T11:51:17.000+01:00
diff --git a/.github/workflows/codeql-actions.yml b/.github/workflows/codeql-actions.yml
@@ -0,0 +1,46 @@
+# Copyright (C) 2025 Roberto Rossini <roberros@uio.no>
+# SPDX-License-Identifier: MIT
+
+name: Run CodeQL analysis (actions)
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - ".github/workflows/*.yml"
+  pull_request:
+    paths:
+      - ".github/workflows/*.yml"
+  schedule:
+    - cron: "0 5 1 * *" # run monthly at 05:00
+
+# https://stackoverflow.com/a/72408109
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+
+jobs:
+  analyze:
+    name: Analyze (actions)
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: read
+      security-events: write
+
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v4
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: actions
+          build-mode: none
+
+      - name: Run Analysis
+        uses: github/codeql-action/analyze@v3
+        with:
+          category: "/language:actions"
diff --git a/.github/workflows/codeql-cpp.yml b/.github/workflows/codeql-cpp.yml
@@ -1,25 +1,21 @@
 # Copyright (C) 2025 Roberto Rossini <roberros@uio.no>
 # SPDX-License-Identifier: MIT
 
-name: Run CodeQL analysis
+name: Run CodeQL analysis (C++)
 
 on:
   push:
     branches: [main]
     paths:
-      - ".github/workflows/*.yml"
+      - ".github/workflows/codeql-cpp.yml"
       - "cmake/**"
-      - "docs/*.py"
       - "examples/**"
       - "src/**"
-      - "test/fuzzer/scripts/*.py"
       - "test/integration/**"
       - "test/units/**"
-      - "utils/devel/*.py"
       - "CMakeLists.txt"
-      - "conanfile.py"
-    schedule:
-      - cron: "0 5 1 * *" # run monthly at 05:00
+  schedule:
+    - cron: "0 5 1 * *" # run monthly at 05:00
 
 # https://stackoverflow.com/a/72408109
 concurrency:
@@ -37,16 +33,9 @@ jobs:
       os: ubuntu-20.04
 
   analyze:
-    name: Analyze (${{ matrix.language }})
+    name: Analyze (C++)
     runs-on: ubuntu-24.04
     needs: [build-conan-deps]
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - { language: actions, build-mode: none }
-          - { language: c-cpp, build-mode: manual }
-          - { language: python, build-mode: none }
     permissions:
       contents: read
       security-events: write
@@ -60,41 +49,36 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Symlink Conan home
-        if: matrix.language == 'c-cpp'
         run: |
           mkdir -p /home/runner/opt/conan
           ln -s /home/runner/opt/conan/ /opt/conan
 
       - name: Restore Conan cache
-        if: matrix.language == 'c-cpp'
         uses: actions/cache/restore@v4
         with:
           key: ${{ needs.build-conan-deps.outputs.conan-key }}
           path: ${{ env.CONAN_HOME }}/p
           fail-on-cache-miss: true
 
       - name: Restore CMake configs
-        if: matrix.language == 'c-cpp'
         uses: actions/cache/restore@v4
         with:
           key: ${{ needs.build-conan-deps.outputs.cmake-prefix-debug-key }}
           path: /tmp/cmake-prefix-dbg.tar
           fail-on-cache-miss: true
 
       - name: Extract CMake configs
-        if: matrix.language == 'c-cpp'
         run: |
           mkdir conan-env
           tar -xf /home/runner/tmp/cmake-prefix-dbg.tar -C conan-env/ --strip-components=1
 
       - name: Initialize CodeQL
         uses: github/codeql-action/init@v3
         with:
-          languages: ${{ matrix.language }}
-          build-mode: ${{ matrix.build-mode }}
+          languages: c-cpp
+          build-mode: manual
 
       - name: Configure project
-        if: matrix.language == 'c-cpp'
         run: |
           cmake -DCMAKE_BUILD_TYPE=Debug                \
                 -DCMAKE_PREFIX_PATH="$PWD/conan-env"    \
@@ -108,10 +92,9 @@ jobs:
                 -B build
 
       - name: Build project
-        if: matrix.language == 'c-cpp'
         run: cmake --build build -j $(nproc)
 
       - name: Run Analysis
         uses: github/codeql-action/analyze@v3
         with:
-          category: "/language:${{ matrix.language }}"
+          category: "/language:c-cpp"
diff --git a/.github/workflows/codeql-python.yml b/.github/workflows/codeql-python.yml
@@ -0,0 +1,51 @@
+# Copyright (C) 2025 Roberto Rossini <roberros@uio.no>
+# SPDX-License-Identifier: MIT
+
+name: Run CodeQL analysis (Python)
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - ".github/workflows/codeql-python.yml"
+      - "docs/*.py"
+      - "test/fuzzer/scripts/*.py"
+      - "utils/devel/*.py"
+  pull_request:
+    paths:
+      - "docs/*.py"
+      - "test/fuzzer/scripts/*.py"
+      - "utils/devel/*.py"
+  schedule:
+    - cron: "0 5 1 * *" # run monthly at 05:00
+
+# https://stackoverflow.com/a/72408109
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+
+jobs:
+  analyze:
+    name: Analyze (python)
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: read
+      security-events: write
+
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v4
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: python
+          build-mode: none
+
+      - name: Run Analysis
+        uses: github/codeql-action/analyze@v3
+        with:
+          category: "/language:python"
