Setup CodeQL analysis

robomics · robomics · commit 71efcf1d1d8d · 2025-02-02T19:05:46.000+01:00
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -0,0 +1,117 @@
+# Copyright (C) 2025 Roberto Rossini <roberros@uio.no>
+# SPDX-License-Identifier: MIT
+
+name: Run CodeQL analysis
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - ".github/workflows/*.yml"
+      - "cmake/**"
+      - "docs/*.py"
+      - "examples/**"
+      - "src/**"
+      - "test/fuzzer/scripts/*.py"
+      - "test/integration/**"
+      - "test/units/**"
+      - "utils/devel/*.py"
+      - "CMakeLists.txt"
+      - "conanfile.py"
+    schedule:
+      - cron: "0 5 1 * *" # run monthly at 05:00
+
+# https://stackoverflow.com/a/72408109
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+
+jobs:
+  build-conan-deps:
+    name: Build Conan deps
+    uses: paulsengroup/hictk/.github/workflows/build-conan-deps.yml@main
+    with:
+      os: ubuntu-20.04
+
+  analyze:
+    name: Analyze (${{ matrix.language }})
+    runs-on: ubuntu-24.04
+    needs: [build-conan-deps]
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - { language: actions, build-mode: none }
+          - { language: c-cpp, build-mode: manual }
+          - { language: python, build-mode: none }
+    permissions:
+      contents: read
+      security-events: write
+
+    env:
+      CCACHE_DISABLE: "1"
+      CONAN_HOME: "/opt/conan/"
+
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v4
+
+      - name: Symlink Conan home
+        if: matrix.language == 'c-cpp'
+        run: |
+          mkdir -p /home/runner/opt/conan
+          ln -s /home/runner/opt/conan /opt/conan
+
+      - name: Restore Conan cache
+        if: matrix.language == 'c-cpp'
+        uses: actions/cache/restore@v4
+        with:
+          key: ${{ needs.build-conan-deps.outputs.conan-key }}
+          path: ${{ env.CONAN_HOME }}/p
+          fail-on-cache-miss: true
+
+      - name: Restore CMake configs
+        if: matrix.language == 'c-cpp'
+        uses: actions/cache/restore@v4
+        with:
+          key: ${{ needs.build-conan-deps.outputs.cmake-prefix-debug-key }}
+          path: /tmp/cmake-prefix-dbg.tar
+          fail-on-cache-miss: true
+
+      - name: Extract CMake configs
+        if: matrix.language == 'c-cpp'
+        run: |
+          mkdir conan-env
+          tar -xf /home/runner/tmp/cmake-prefix-dbg.tar -C conan-env/ --strip-components=1
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: ${{ matrix.language }}
+          build-mode: ${{ matrix.build-mode }}
+
+      - name: Configure project
+        if: matrix.language == 'c-cpp'
+        run: |
+          cmake -DCMAKE_BUILD_TYPE=Debug                \
+                -DCMAKE_PREFIX_PATH="$PWD/conan-env"    \
+                -DENABLE_DEVELOPER_MODE=OFF             \
+                -DHICTK_ENABLE_TESTING=ON               \
+                -DHICTK_BUILD_EXAMPLES=ON               \
+                -DHICTK_DOWNLOAD_TEST_DATASET=OFF       \
+                -DHICTK_ENABLE_GIT_VERSION_TRACKING=OFF \
+                -DCMAKE_INSTALL_PREFIX=dest             \
+                -S .                                    \
+                -B build
+
+      - name: Build project
+        if: matrix.language == 'c-cpp'
+        run: cmake --build build -j $(nproc)
+
+      - name: Run Analysis
+        uses: github/codeql-action/analyze@v3
+        with:
+          category: "/language:${{ matrix.language }}"
