-
Notifications
You must be signed in to change notification settings - Fork 0
127 lines (115 loc) · 4.75 KB
/
Copy pathcodeql.yml
File metadata and controls
127 lines (115 loc) · 4.75 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
name: codeql
on:
push:
branches: [main]
paths-ignore: ["docs/**"]
pull_request:
branches: [main]
paths-ignore: ["docs/**"]
schedule:
# Weekly re-scan so newly-published CodeQL queries run against main even
# during quiet periods. Monday 07:00 UTC.
- cron: "0 7 * * 1"
workflow_dispatch: # manual run (e.g. to validate the swift scan on a branch)
concurrency:
group: codeql-${{ github.ref }}
cancel-in-progress: true
permissions:
contents: read
jobs:
# GitHub Actions workflow analysis — cheap (Linux, no build). Runs on every
# trigger, PRs included, so workflow-injection issues are caught pre-merge.
actions:
name: Analyze (actions)
runs-on: ubuntu-latest
permissions:
security-events: write # upload SARIF results to code scanning
actions: read # required to read workflow runs on private repos
contents: read # checkout
steps:
- name: Checkout
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- name: Initialize CodeQL
uses: github/codeql-action/init@54f647b7e1bb85c95cddabcd46b0c578ec92bc1a # v4
with:
languages: actions
build-mode: none
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@54f647b7e1bb85c95cddabcd46b0c578ec92bc1a # v4
with:
category: "/language:actions"
# Swift analysis — expensive (a full macOS build). Skipped on PRs: check.yml
# already gates every PR with a macOS build, so running a second one here just
# to trace it doubles the per-PR cost. Instead it runs on push to main, the
# weekly schedule, and manual dispatch — so main + the schedule still scan all
# the Swift code, just off the PR critical path.
swift:
name: Analyze (swift)
if: github.event_name != 'pull_request'
runs-on: macos-26
timeout-minutes: 60
env:
DERIVED: ${{ github.workspace }}/DerivedData-codeql
permissions:
security-events: write
actions: read
contents: read
steps:
- name: Checkout
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
# Cache the resolved SwiftPM checkouts so we don't re-clone the SDKs'
# full git history on every run. Keyed on the pinned Package.resolved, so a
# dependency bump busts the cache. restore-keys lets an older cache seed a
# partial hit when the pins change.
- name: Cache SwiftPM checkouts
uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6
with:
path: ${{ env.DERIVED }}/SourcePackages
key: spm-${{ runner.os }}-${{ hashFiles('App/Blurt/Blurt.xcodeproj/project.xcworkspace/xcshareddata/swiftpm/Package.resolved') }}
restore-keys: |
spm-${{ runner.os }}-
# Resolve dependencies BEFORE codeql init, so the git clones run natively
# (arm64) and untraced. CodeQL's Swift tracer runs the build as an x86_64
# (Rosetta) process, which makes dependency resolution — the slow part —
# crawl. CodeQL only needs to trace the compile, not the resolve, so we do
# the resolve here into the shared DerivedData path the build reuses.
- name: Resolve packages (native, untraced)
working-directory: App/Blurt
run: |
xcodebuild \
-project Blurt.xcodeproj \
-scheme Blurt \
-derivedDataPath "$DERIVED" \
-resolvePackageDependencies
- name: Initialize CodeQL
uses: github/codeql-action/init@54f647b7e1bb85c95cddabcd46b0c578ec92bc1a # v4
with:
languages: swift
build-mode: manual
# build-mode: manual — build the committed Blurt.xcodeproj directly (no
# xcodegen: it's checked in and drift-checked by the `check` workflow).
# Generic "Any Mac" destination, not arch=arm64: under CodeQL's x86_64
# tracer, xcodebuild can't match an arm64 device for our arm64-only project.
# -derivedDataPath reuses the packages resolved above. Codesigning is off:
# the Developer ID cert only lives on the maintainer's machine.
- name: Build Swift
working-directory: App/Blurt
run: |
xcodebuild \
-project Blurt.xcodeproj \
-scheme Blurt \
-configuration Debug \
-destination 'generic/platform=macOS' \
-derivedDataPath "$DERIVED" \
CODE_SIGN_IDENTITY="-" \
CODE_SIGNING_REQUIRED=NO \
CODE_SIGNING_ALLOWED=NO \
build
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@54f647b7e1bb85c95cddabcd46b0c578ec92bc1a # v4
with:
category: "/language:swift"