infrastructure/actions
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

initial commit of actions

Browse source
This commit is contained in:
Dominik Polakovics Polakovics 2026-01-31 18:56:04 +01:00
commit 949ece5785
44660 changed files with 12034344 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

15
github/codeql-action-v1/pr-checks/checks/analyze-ref-input.yml Normal file
View file

@ -0,0 +1,15 @@
name: "Analyze: 'ref' and 'sha' from inputs"
description: "Checks that specifying 'ref' and 'sha' as inputs works"
steps:
- uses: ./../action/init
with:
tools: ${{ steps.prepare-test.outputs.tools-url }}
languages: cpp,csharp,java,javascript,python
config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{ github.sha }}
- name: Build code
shell: bash
run: ./build.sh
- uses: ./../action/analyze
with:
ref: 'refs/heads/main'
sha: '5e235361806c361d4d3f8859e3c897658025a9a2'

26
github/codeql-action-v1/pr-checks/checks/autobuild-action.yml Normal file
View file

@ -0,0 +1,26 @@
name: "autobuild-action"
description: "Tests that the C# autobuild action works"
versions: ["latest"]
steps:
- uses: ./../action/init
with:
languages: csharp
tools: ${{ steps.prepare-test.outputs.tools-url }}
- uses: ./../action/autobuild
env:
# Explicitly disable the CLR tracer.
COR_ENABLE_PROFILING: ""
COR_PROFILER: ""
COR_PROFILER_PATH_64: ""
CORECLR_ENABLE_PROFILING: ""
CORECLR_PROFILER: ""
CORECLR_PROFILER_PATH_64: ""
- uses: ./../action/analyze
- name: Check database
shell: bash
run: |
cd "$RUNNER_TEMP/codeql_databases"
if [[ ! -d csharp ]]; then
echo "Did not find a C# database"
exit 1
fi

47
github/codeql-action-v1/pr-checks/checks/export-file-baseline-information.yml Normal file
View file

@ -0,0 +1,47 @@
name: "Export file baseline information"
description: "Tests that file baseline information is exported when the feature is enabled"
versions: ["nightly-latest"]
env:
CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT: true # Remove when Swift is GA.
steps:
- uses: ./../action/init
id: init
with:
languages: javascript
tools: ${{ steps.prepare-test.outputs.tools-url }}
env:
CODEQL_FILE_BASELINE_INFORMATION: true
- uses: ./../action/.github/setup-swift
with:
codeql-path: ${{steps.init.outputs.codeql-path}}
- name: Build code
shell: bash
run: ./build.sh
- uses: ./../action/analyze
with:
output: "${{ runner.temp }}/results"
env:
CODEQL_FILE_BASELINE_INFORMATION: true
- name: Upload SARIF
uses: actions/upload-artifact@v3
with:
name: with-baseline-information-${{ matrix.os }}-${{ matrix.version }}.sarif.json
path: "${{ runner.temp }}/results/javascript.sarif"
retention-days: 7
- name: Check results
shell: bash
run: |
cd "$RUNNER_TEMP/results"
expected_baseline_languages="cpp cs go java js py rb swift"
for lang in ${expected_baseline_languages}; do
rule_name="${lang}/baseline/expected-extracted-files"
found_notification=$(jq --arg rule_name "${rule_name}" '[.runs[0].tool.driver.notifications |
select(. != null) | flatten | .[].id] | any(. == $rule_name)' javascript.sarif)
if [[ "${found_notification}" != "true" ]]; then
echo "Expected SARIF output to contain notification '${rule_name}', but found no such notification."
exit 1
else
echo "Found notification '${rule_name}'."
fi
done

29
github/codeql-action-v1/pr-checks/checks/extractor-ram-threads.yml Normal file
View file

@ -0,0 +1,29 @@
name: "Extractor ram and threads options test"
description: "Tests passing RAM and threads limits to extractors"
versions: ["latest"]
operatingSystems: ["ubuntu"]
steps:
- uses: ./../action/init
with:
languages: java
ram: 230
threads: 1
- name: Assert Results
shell: bash
run: |
if [ "${CODEQL_RAM}" != "230" ]; then
echo "CODEQL_RAM is '${CODEQL_RAM}' instead of 230"
exit 1
fi
if [ "${CODEQL_EXTRACTOR_JAVA_RAM}" != "230" ]; then
echo "CODEQL_EXTRACTOR_JAVA_RAM is '${CODEQL_EXTRACTOR_JAVA_RAM}' instead of 230"
exit 1
fi
if [ "${CODEQL_THREADS}" != "1" ]; then
echo "CODEQL_THREADS is '${CODEQL_THREADS}' instead of 1"
exit 1
fi
if [ "${CODEQL_EXTRACTOR_JAVA_THREADS}" != "1" ]; then
echo "CODEQL_EXTRACTOR_JAVA_THREADS is '${CODEQL_EXTRACTOR_JAVA_THREADS}' instead of 1"
exit 1
fi

14
github/codeql-action-v1/pr-checks/checks/go-custom-queries.yml Normal file
View file

@ -0,0 +1,14 @@
name: "Go: Custom queries"
description: "Checks that Go works in conjunction with a config file specifying custom queries"
env:
DOTNET_GENERATE_ASPNET_CERTIFICATE: "false"
steps:
- uses: ./../action/init
with:
languages: go
config-file: ./.github/codeql/custom-queries.yml
tools: ${{ steps.prepare-test.outputs.tools-url }}
- name: Build code
shell: bash
run: ./build.sh
- uses: ./../action/analyze

24
github/codeql-action-v1/pr-checks/checks/go-tracing-autobuilder.yml Normal file
View file

@ -0,0 +1,24 @@
name: "Go: tracing with autobuilder step"
description: "Checks that Go tracing works when using an autobuilder step"
operatingSystems: ["ubuntu", "macos"]
env:
DOTNET_GENERATE_ASPNET_CERTIFICATE: "false"
steps:
- uses: ./../action/init
with:
languages: go
tools: ${{ steps.prepare-test.outputs.tools-url }}
- uses: ./../action/autobuild
- uses: ./../action/analyze
- shell: bash
run: |
if [[ "${CODEQL_ACTION_DID_AUTOBUILD_GOLANG}" != true ]]; then
echo "Expected the Go autobuilder to be run, but the" \
"CODEQL_ACTION_DID_AUTOBUILD_GOLANG environment variable was not true."
exit 1
fi
cd "$RUNNER_TEMP/codeql_databases"
if [[ ! -d go ]]; then
echo "Did not find a Go database"
exit 1
fi

27
github/codeql-action-v1/pr-checks/checks/go-tracing-custom-build-steps.yml Normal file
View file

@ -0,0 +1,27 @@
name: "Go: tracing with custom build steps"
description: "Checks that Go tracing traces the build when using custom build steps"
operatingSystems: ["ubuntu", "macos"]
steps:
- uses: ./../action/init
with:
languages: go
tools: ${{ steps.prepare-test.outputs.tools-url }}
- name: Build code
shell: bash
run: go build main.go
- uses: ./../action/analyze
- shell: bash
run: |
# Once we start running Bash 4.2 in all environments, we can replace the
# `! -z` flag with the more elegant `-v` which confirms that the variable
# is actually unset and not potentially set to a blank value.
if [[ ! -z "${CODEQL_ACTION_DID_AUTOBUILD_GOLANG}" ]]; then
echo "Expected the Go autobuilder not to be run, but the" \
"CODEQL_ACTION_DID_AUTOBUILD_GOLANG environment variable was set."
exit 1
fi
cd "$RUNNER_TEMP/codeql_databases"
if [[ ! -d go ]]; then
echo "Did not find a Go database"
exit 1
fi

18
github/codeql-action-v1/pr-checks/checks/go-tracing-legacy-workflow.yml Normal file
View file

@ -0,0 +1,18 @@
name: "Go: tracing with legacy workflow"
description: "Checks that we run the autobuilder in legacy workflows with neither an autobuild step nor manual build steps"
operatingSystems: ["ubuntu", "macos"]
env:
DOTNET_GENERATE_ASPNET_CERTIFICATE: "false"
steps:
- uses: ./../action/init
with:
languages: go
tools: ${{ steps.prepare-test.outputs.tools-url }}
- uses: ./../action/analyze
- shell: bash
run: |
cd "$RUNNER_TEMP/codeql_databases"
if [[ ! -d go ]]; then
echo "Did not find a Go database"
exit 1
fi

42
github/codeql-action-v1/pr-checks/checks/init-with-registries.yml Normal file
View file

@ -0,0 +1,42 @@
# A test for running the init command with a registries block.
# This test does _not_ validate that the action can authenticate
# against multiple registries. All it does is validate that the
# basic mechanics of multi-registry auth is working.
name: "Packaging: Download using registries"
description: "Checks that specifying a registries block and associated auth works as expected"
versions: ["nightly-latest"] # This feature is not compatible with old CLIs
steps:
- name: Init with registries
uses: ./../action/init
with:
db-location: "${{ runner.temp }}/customDbLocation"
tools: ${{ steps.prepare-test.outputs.tools-url }}
config-file: ./.github/codeql/codeql-config-registries.yml
languages: javascript
registries: |
- url: "https://ghcr.io/v2/"
packages: "*/*"
token: "${{ secrets.GITHUB_TOKEN }}"
- name: Verify packages installed
shell: bash
run: |
PRIVATE_PACK="$HOME/.codeql/packages/dsp-testing/private-pack"
CODEQL_PACK1="$HOME/.codeql/packages/dsp-testing/codeql-pack1"
if [[ -d $PRIVATE_PACK ]]
then
echo "$PRIVATE_PACK was installed."
else
echo "::error $PRIVATE_PACK pack was not installed."
exit 1
fi
if [[ -d $CODEQL_PACK1 ]]
then
echo "$CODEQL_PACK1 was installed."
else
echo "::error $CODEQL_PACK1 pack was not installed."
exit 1
fi

27
github/codeql-action-v1/pr-checks/checks/javascript-source-root.yml Normal file
View file

@ -0,0 +1,27 @@
name: "Custom source root"
description: "Checks that the argument specifying a non-default source root works"
versions: ["latest", "cached", "nightly-latest"] # This feature is not compatible with old CLIs
operatingSystems: ["ubuntu"]
steps:
- name: Move codeql-action
shell: bash
run: |
mkdir ../new-source-root
mv * ../new-source-root
- uses: ./../action/init
with:
languages: javascript
source-root: ../new-source-root
tools: ${{ steps.prepare-test.outputs.tools-url }}
- uses: ./../action/analyze
with:
skip-queries: true
upload: false
- name: Assert database exists
shell: bash
run: |
cd "$RUNNER_TEMP/codeql_databases"
if [[ ! -d javascript ]]; then
echo "Did not find a JavaScript database"
exit 1
fi

75
github/codeql-action-v1/pr-checks/checks/ml-powered-queries.yml Normal file
View file

@ -0,0 +1,75 @@
name: "ML-powered queries"
description: "Tests that ML-powered queries are run with the security-extended suite and that they produce alerts on a test DB"
versions: [
# Latest release in 2.7.x series
"stable-20220120",
"cached",
"latest",
"nightly-latest",
]
steps:
- uses: ./../action/init
with:
languages: javascript
queries: security-extended
source-root: ./../action/tests/ml-powered-queries-repo
tools: ${{ steps.prepare-test.outputs.tools-url }}
- uses: ./../action/analyze
with:
output: "${{ runner.temp }}/results"
upload-database: false
- name: Upload SARIF
uses: actions/upload-artifact@v3
with:
name: ml-powered-queries-${{ matrix.os }}-${{ matrix.version }}.sarif.json
path: "${{ runner.temp }}/results/javascript.sarif"
retention-days: 7
- name: Check sarif
uses: ./../action/.github/check-sarif
# Running on Windows requires CodeQL CLI 2.9.0+.
if: "!(matrix.version == 'stable-20220120' && runner.os == 'Windows')"
with:
sarif-file: ${{ runner.temp }}/results/javascript.sarif
queries-run: js/ml-powered/nosql-injection,js/ml-powered/path-injection,js/ml-powered/sql-injection,js/ml-powered/xss
queries-not-run: foo,bar
- name: Check results
env:
# Running on Windows requires CodeQL CLI 2.9.0+.
SHOULD_RUN_ML_POWERED_QUERIES: ${{ !(matrix.version == 'stable-20220120' && runner.os == 'Windows') }}
shell: bash
run: |
echo "Expecting ML-powered queries to be run: ${SHOULD_RUN_ML_POWERED_QUERIES}"
cd "$RUNNER_TEMP/results"
# We should run at least the ML-powered queries in `expected_rules`.
expected_rules="js/ml-powered/nosql-injection js/ml-powered/path-injection js/ml-powered/sql-injection js/ml-powered/xss"
for rule in ${expected_rules}; do
found_rule=$(jq --arg rule "${rule}" '[.runs[0].tool.extensions[].rules | select(. != null) |
flatten | .[].id] | any(. == $rule)' javascript.sarif)
echo "Did find rule '${rule}': ${found_rule}"
if [[ "${found_rule}" != "true" && "${SHOULD_RUN_ML_POWERED_QUERIES}" == "true" ]]; then
echo "Expected SARIF output to contain rule '${rule}', but found no such rule."
exit 1
elif [[ "${found_rule}" == "true" && "${SHOULD_RUN_ML_POWERED_QUERIES}" != "true" ]]; then
echo "Found rule '${rule}' in the SARIF output which shouldn't have been part of the analysis."
exit 1
fi
done
# We should have at least one alert from an ML-powered query.
num_alerts=$(jq '[.runs[0].results[] |
select(.properties.score != null and (.rule.id | startswith("js/ml-powered/")))] | length' \
javascript.sarif)
echo "Found ${num_alerts} alerts from ML-powered queries.";
if [[ "${num_alerts}" -eq 0 && "${SHOULD_RUN_ML_POWERED_QUERIES}" == "true" ]]; then
echo "Expected to find at least one alert from an ML-powered query but found ${num_alerts}."
exit 1
elif [[ "${num_alerts}" -ne 0 && "${SHOULD_RUN_ML_POWERED_QUERIES}" != "true" ]]; then
echo "Expected not to find any alerts from an ML-powered query but found ${num_alerts}."
exit 1
fi

76
github/codeql-action-v1/pr-checks/checks/multi-language-autodetect.yml Normal file
View file

@ -0,0 +1,76 @@
name: "Multi-language repository"
description: "An end-to-end integration test of a multi-language repository using automatic language detection"
operatingSystems: ["ubuntu", "macos"]
env:
CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT: "true" # Remove when Swift is GA.
steps:
- uses: ./../action/init
id: init
with:
db-location: "${{ runner.temp }}/customDbLocation"
tools: ${{ steps.prepare-test.outputs.tools-url }}
- uses: ./../action/.github/setup-swift
with:
codeql-path: ${{steps.init.outputs.codeql-path}}
- name: Build code
shell: bash
run: ./build.sh
- uses: ./../action/analyze
id: analysis
- name: Check language autodetect for all languages excluding Ruby, Swift
shell: bash
run: |
CPP_DB=${{ fromJson(steps.analysis.outputs.db-locations).cpp }}
if [[ ! -d $CPP_DB ]] || [[ ! $CPP_DB == ${{ runner.temp }}/customDbLocation/* ]]; then
echo "Did not create a database for CPP, or created it in the wrong location."
exit 1
fi
CSHARP_DB=${{ fromJson(steps.analysis.outputs.db-locations).csharp }}
if [[ ! -d $CSHARP_DB ]] || [[ ! $CSHARP_DB == ${{ runner.temp }}/customDbLocation/* ]]; then
echo "Did not create a database for C Sharp, or created it in the wrong location."
exit 1
fi
GO_DB=${{ fromJson(steps.analysis.outputs.db-locations).go }}
if [[ ! -d $GO_DB ]] || [[ ! $GO_DB == ${{ runner.temp }}/customDbLocation/* ]]; then
echo "Did not create a database for Go, or created it in the wrong location."
exit 1
fi
JAVA_DB=${{ fromJson(steps.analysis.outputs.db-locations).java }}
if [[ ! -d $JAVA_DB ]] || [[ ! $JAVA_DB == ${{ runner.temp }}/customDbLocation/* ]]; then
echo "Did not create a database for Java, or created it in the wrong location."
exit 1
fi
JAVASCRIPT_DB=${{ fromJson(steps.analysis.outputs.db-locations).javascript }}
if [[ ! -d $JAVASCRIPT_DB ]] || [[ ! $JAVASCRIPT_DB == ${{ runner.temp }}/customDbLocation/* ]]; then
echo "Did not create a database for Javascript, or created it in the wrong location."
exit 1
fi
PYTHON_DB=${{ fromJson(steps.analysis.outputs.db-locations).python }}
if [[ ! -d $PYTHON_DB ]] || [[ ! $PYTHON_DB == ${{ runner.temp }}/customDbLocation/* ]]; then
echo "Did not create a database for Python, or created it in the wrong location."
exit 1
fi
- name: Check language autodetect for Ruby
if: "(matrix.version == 'cached' || matrix.version == 'latest' || matrix.version == 'nightly-latest')"
shell: bash
run: |
RUBY_DB=${{ fromJson(steps.analysis.outputs.db-locations).ruby }}
if [[ ! -d $RUBY_DB ]] || [[ ! $RUBY_DB == ${{ runner.temp }}/customDbLocation/* ]]; then
echo "Did not create a database for Ruby, or created it in the wrong location."
exit 1
fi
- name: Check language autodetect for Swift
if: "(matrix.version == 'cached' || matrix.version == 'latest' || matrix.version == 'nightly-latest')"
shell: bash
run: |
SWIFT_DB=${{ fromJson(steps.analysis.outputs.db-locations).swift }}
if [[ ! -d $SWIFT_DB ]] || [[ ! $SWIFT_DB == ${{ runner.temp }}/customDbLocation/* ]]; then
echo "Did not create a database for Swift, or created it in the wrong location."
exit 1
fi

42
github/codeql-action-v1/pr-checks/checks/packaging-codescanning-config-inputs-js.yml Normal file
View file

@ -0,0 +1,42 @@
name: "Packaging: Config and input passed to the CLI"
description: "Checks that specifying packages using a combination of a config file and input to the Action works"
versions: ["latest", "cached", "nightly-latest"] # This feature is not compatible with old CLIs
env:
CODEQL_PASS_CONFIG_TO_CLI: true
steps:
- uses: ./../action/init
with:
config-file: ".github/codeql/codeql-config-packaging3.yml"
packs: +dsp-testing/codeql-pack1@1.0.0
languages: javascript
tools: ${{ steps.prepare-test.outputs.tools-url }}
- name: Build code
shell: bash
run: ./build.sh
- uses: ./../action/analyze
with:
output: "${{ runner.temp }}/results"
- name: Check results
uses: ./../action/.github/check-sarif
with:
sarif-file: ${{ runner.temp }}/results/javascript.sarif
queries-run: javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block
queries-not-run: foo,bar
- name: Assert Results
shell: bash
run: |
cd "$RUNNER_TEMP/results"
# We should have 4 hits from these rules
EXPECTED_RULES="javascript/example/empty-or-one-block javascript/example/empty-or-one-block javascript/example/other-query-block javascript/example/two-block"
# use tr to replace newlines with spaces and xargs to trim leading and trailing whitespace
RULES="$(cat javascript.sarif | jq -r '.runs[0].results[].ruleId' | sort | tr "\n\r" " " | xargs)"
echo "Found matching rules '$RULES'"
if [ "$RULES" != "$EXPECTED_RULES" ]; then
echo "Did not match expected rules '$EXPECTED_RULES'."
exit 1
fi

38
github/codeql-action-v1/pr-checks/checks/packaging-config-inputs-js.yml Normal file
View file

@ -0,0 +1,38 @@
name: "Packaging: Config and input"
description: "Checks that specifying packages using a combination of a config file and input to the Action works"
versions: ["latest", "cached", "nightly-latest"] # This feature is not compatible with old CLIs
steps:
- uses: ./../action/init
with:
config-file: ".github/codeql/codeql-config-packaging3.yml"
packs: +dsp-testing/codeql-pack1@1.0.0
languages: javascript
tools: ${{ steps.prepare-test.outputs.tools-url }}
- name: Build code
shell: bash
run: ./build.sh
- uses: ./../action/analyze
with:
output: "${{ runner.temp }}/results"
- name: Check results
uses: ./../action/.github/check-sarif
with:
sarif-file: ${{ runner.temp }}/results/javascript.sarif
queries-run: javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block
queries-not-run: foo,bar
- name: Assert Results
shell: bash
run: |
cd "$RUNNER_TEMP/results"
# We should have 4 hits from these rules
EXPECTED_RULES="javascript/example/empty-or-one-block javascript/example/empty-or-one-block javascript/example/other-query-block javascript/example/two-block"
# use tr to replace newlines with spaces and xargs to trim leading and trailing whitespace
RULES="$(cat javascript.sarif | jq -r '.runs[0].results[].ruleId' | sort | tr "\n\r" " " | xargs)"
echo "Found matching rules '$RULES'"
if [ "$RULES" != "$EXPECTED_RULES" ]; then
echo "Did not match expected rules '$EXPECTED_RULES'."
exit 1
fi

37
github/codeql-action-v1/pr-checks/checks/packaging-config-js.yml Normal file
View file

@ -0,0 +1,37 @@
name: "Packaging: Config file"
description: "Checks that specifying packages using only a config file works"
versions: ["latest", "cached", "nightly-latest"] # This feature is not compatible with old CLIs
steps:
- uses: ./../action/init
with:
config-file: ".github/codeql/codeql-config-packaging.yml"
languages: javascript
tools: ${{ steps.prepare-test.outputs.tools-url }}
- name: Build code
shell: bash
run: ./build.sh
- uses: ./../action/analyze
with:
output: "${{ runner.temp }}/results"
- name: Check results
uses: ./../action/.github/check-sarif
with:
sarif-file: ${{ runner.temp }}/results/javascript.sarif
queries-run: javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block
queries-not-run: foo,bar
- name: Assert Results
shell: bash
run: |
cd "$RUNNER_TEMP/results"
# We should have 4 hits from these rules
EXPECTED_RULES="javascript/example/empty-or-one-block javascript/example/empty-or-one-block javascript/example/other-query-block javascript/example/two-block"
# use tr to replace newlines with spaces and xargs to trim leading and trailing whitespace
RULES="$(cat javascript.sarif | jq -r '.runs[0].results[].ruleId' | sort | tr "\n\r" " " | xargs)"
echo "Found matching rules '$RULES'"
if [ "$RULES" != "$EXPECTED_RULES" ]; then
echo "Did not match expected rules '$EXPECTED_RULES'."
exit 1
fi

38
github/codeql-action-v1/pr-checks/checks/packaging-inputs-js.yml Normal file
View file

@ -0,0 +1,38 @@
name: "Packaging: Action input"
description: "Checks that specifying packages using the input to the Action works"
versions: ["latest", "cached", "nightly-latest"] # This feature is not compatible with old CLIs
steps:
- uses: ./../action/init
with:
config-file: ".github/codeql/codeql-config-packaging2.yml"
languages: javascript
packs: dsp-testing/codeql-pack1@1.0.0, dsp-testing/codeql-pack2, dsp-testing/codeql-pack3:other-query.ql
tools: ${{ steps.prepare-test.outputs.tools-url }}
- name: Build code
shell: bash
run: ./build.sh
- uses: ./../action/analyze
with:
output: "${{ runner.temp }}/results"
- name: Check results
uses: ./../action/.github/check-sarif
with:
sarif-file: ${{ runner.temp }}/results/javascript.sarif
queries-run: javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block
queries-not-run: foo,bar
- name: Assert Results
shell: bash
run: |
cd "$RUNNER_TEMP/results"
# We should have 4 hits from these rules
EXPECTED_RULES="javascript/example/empty-or-one-block javascript/example/empty-or-one-block javascript/example/other-query-block javascript/example/two-block"
# use tr to replace newlines with spaces and xargs to trim leading and trailing whitespace
RULES="$(cat javascript.sarif | jq -r '.runs[0].results[].ruleId' | sort | tr "\n\r" " " | xargs)"
echo "Found matching rules '$RULES'"
if [ "$RULES" != "$EXPECTED_RULES" ]; then
echo "Did not match expected rules '$EXPECTED_RULES'."
exit 1
fi

12
github/codeql-action-v1/pr-checks/checks/remote-config.yml Normal file
View file

@ -0,0 +1,12 @@
name: "Remote config file"
description: "Checks that specifying packages using only a config file works"
steps:
- uses: ./../action/init
with:
tools: ${{ steps.prepare-test.outputs.tools-url }}
languages: cpp,csharp,java,javascript,python
config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{ github.sha }}
- name: Build code
shell: bash
run: ./build.sh
- uses: ./../action/analyze

26
github/codeql-action-v1/pr-checks/checks/rubocop-multi-language.yml Normal file
View file

@ -0,0 +1,26 @@
name: "RuboCop multi-language"
description: "Tests using RuboCop to analyze a multi-language repository and then using the CodeQL Action to upload the resulting SARIF"
operatingSystems: ["ubuntu"]
# This check doesn't use CodeQL, so the `version` matrix variable is unused.
versions: ["cached"]
steps:
- name: Set up Ruby
uses: ruby/setup-ruby@v1
with:
ruby-version: 2.6
- name: Install Code Scanning integration
shell: bash
run: bundle add code-scanning-rubocop --version 0.3.0 --skip-install
- name: Install dependencies
shell: bash
run: bundle install
- name: RuboCop run
shell: bash
run: |
bash -c "
bundle exec rubocop --require code_scanning --format CodeScanning::SarifFormatter -o rubocop.sarif
[[ $? -ne 2 ]]
"
- uses: ./../action/upload-sarif
with:
sarif_file: rubocop.sarif

19
github/codeql-action-v1/pr-checks/checks/ruby.yml Normal file
View file

@ -0,0 +1,19 @@
name: "Ruby analysis"
description: "Tests creation of a Ruby database"
versions: ["latest", "cached", "nightly-latest"]
operatingSystems: ["ubuntu", "macos"]
steps:
- uses: ./../action/init
with:
languages: ruby
tools: ${{ steps.prepare-test.outputs.tools-url }}
- uses: ./../action/analyze
id: analysis
- name: Check database
shell: bash
run: |
RUBY_DB="${{ fromJson(steps.analysis.outputs.db-locations).ruby }}"
if [[ ! -d "$RUBY_DB" ]]; then
echo "Did not create a database for Ruby."
exit 1
fi

44
github/codeql-action-v1/pr-checks/checks/split-workflow.yml Normal file
View file

@ -0,0 +1,44 @@
name: "Split workflow"
description: "Tests a split-up workflow in which we first build a database and later analyze it"
operatingSystems: ["ubuntu", "macos"]
versions: ["latest", "cached", "nightly-latest"] # This feature is not compatible with old CLIs
steps:
- uses: ./../action/init
with:
config-file: ".github/codeql/codeql-config-packaging3.yml"
packs: +dsp-testing/codeql-pack1@1.0.0
languages: javascript
tools: ${{ steps.prepare-test.outputs.tools-url }}
- name: Build code
shell: bash
run: ./build.sh
- uses: ./../action/analyze
with:
skip-queries: true
output: "${{ runner.temp }}/results"
- name: Assert No Results
shell: bash
run: |
if [ "$(ls -A $RUNNER_TEMP/results)" ]; then
echo "Expected results directory to be empty after skipping query execution!"
exit 1
fi
- uses: ./../action/analyze
with:
output: "${{ runner.temp }}/results"
upload-database: false
- name: Assert Results
shell: bash
run: |
cd "$RUNNER_TEMP/results"
# We should have 4 hits from these rules
EXPECTED_RULES="javascript/example/empty-or-one-block javascript/example/empty-or-one-block javascript/example/other-query-block javascript/example/two-block"
# use tr to replace newlines with spaces and xargs to trim leading and trailing whitespace
RULES="$(cat javascript.sarif | jq -r '.runs[0].results[].ruleId' | sort | tr "\n\r" " " | xargs)"
echo "Found matching rules '$RULES'"
if [ "$RULES" != "$EXPECTED_RULES" ]; then
echo "Did not match expected rules '$EXPECTED_RULES'."
exit 1
fi

34
github/codeql-action-v1/pr-checks/checks/submit-sarif-failure.yml Normal file
View file

@ -0,0 +1,34 @@
name: Submit SARIF after failure
description: Check that a SARIF file is submitted for the workflow run if it fails
versions: ["latest", "cached", "nightly-latest"]
operatingSystems: ["ubuntu"]
env:
# Internal-only environment variable used to indicate that the post-init Action
# should expect to upload a SARIF file for the failed run.
CODEQL_ACTION_EXPECT_UPLOAD_FAILED_SARIF: true
# Make sure the uploading SARIF files feature is enabled.
CODEQL_ACTION_UPLOAD_FAILED_SARIF: true
# Upload the failed SARIF file as an integration test of the API endpoint.
CODEQL_ACTION_TEST_MODE: false
# Mark telemetry for this workflow so it can be treated separately.
CODEQL_ACTION_TESTING_ENVIRONMENT: codeql-action-pr-checks
steps:
- uses: actions/checkout@v3
- uses: ./init
with:
languages: javascript
- name: Fail
# We want this job to pass if the Action correctly uploads the SARIF file for
# the failed run.
# Setting this step to continue on error means that it is marked as completing
# successfully, so will not fail the job.
continue-on-error: true
run: exit 1
- uses: ./analyze
# In a real workflow, this step wouldn't run. Since we used `continue-on-error`
# above, we manually disable it with an `if` condition.
if: false
with:
category: "/test-codeql-version:${{ matrix.version }}"

30
github/codeql-action-v1/pr-checks/checks/swift-autobuild.yml Normal file
View file

@ -0,0 +1,30 @@
name: "Swift analysis using autobuild"
description: "Tests creation of a Swift database using autobuild"
versions: ["latest", "cached", "nightly-latest"]
# Swift autobuilder is only supported on MacOS for private beta
operatingSystems: ["macos"]
env:
CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT: "true" # Remove when Swift is GA.
steps:
- uses: ./../action/init
id: init
with:
languages: swift
tools: ${{ steps.prepare-test.outputs.tools-url }}
- uses: ./../action/.github/setup-swift
with:
codeql-path: ${{steps.init.outputs.codeql-path}}
- name: Check working directory
shell: bash
run: pwd
- uses: ./../action/autobuild
- uses: ./../action/analyze
id: analysis
- name: Check database
shell: bash
run: |
SWIFT_DB="${{ fromJson(steps.analysis.outputs.db-locations).swift }}"
if [[ ! -d "$SWIFT_DB" ]]; then
echo "Did not create a database for Swift."
exit 1
fi

32
github/codeql-action-v1/pr-checks/checks/swift-custom-build.yml Normal file
View file

@ -0,0 +1,32 @@
name: "Swift analysis using a custom build command"
description: "Tests creation of a Swift database using custom build"
versions: ["latest", "cached", "nightly-latest"]
operatingSystems: ["ubuntu", "macos"]
env:
CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT: "true" # Remove when Swift is GA.
DOTNET_GENERATE_ASPNET_CERTIFICATE: "false"
steps:
- uses: ./../action/init
id: init
with:
languages: swift
tools: ${{ steps.prepare-test.outputs.tools-url }}
- uses: ./../action/.github/setup-swift
with:
codeql-path: ${{steps.init.outputs.codeql-path}}
- name: Check working directory
shell: bash
run: pwd
- name: Build code
shell: bash
run: ./build.sh
- uses: ./../action/analyze
id: analysis
- name: Check database
shell: bash
run: |
SWIFT_DB="${{ fromJson(steps.analysis.outputs.db-locations).swift }}"
if [[ ! -d "$SWIFT_DB" ]]; then
echo "Did not create a database for Swift."
exit 1
fi

28
github/codeql-action-v1/pr-checks/checks/test-autobuild-working-dir.yml Normal file
View file

@ -0,0 +1,28 @@
name: "Autobuild working directory"
description: "Tests working-directory input of autobuild action"
versions: ["latest"]
operatingSystems: ["ubuntu"]
steps:
- name: Test setup
shell: bash
run: |
# Make sure that Gradle build succeeds in autobuild-dir ...
cp -a ../action/tests/java-repo autobuild-dir
# ... and fails if attempted in the current directory
echo > build.gradle
- uses: ./../action/init
with:
languages: java
tools: ${{ steps.prepare-test.outputs.tools-url }}
- uses: ./../action/autobuild
with:
working-directory: autobuild-dir
- uses: ./../action/analyze
- name: Check database
shell: bash
run: |
cd "$RUNNER_TEMP/codeql_databases"
if [[ ! -d java ]]; then
echo "Did not find a Java database"
exit 1
fi

18
github/codeql-action-v1/pr-checks/checks/test-local-codeql.yml Normal file
View file

@ -0,0 +1,18 @@
name: "Local CodeQL bundle"
description: "Tests using a CodeQL bundle from a local file rather than a URL"
versions: ["nightly-latest"]
operatingSystems: ["ubuntu"]
steps:
- name: Fetch a CodeQL bundle
shell: bash
env:
CODEQL_URL: ${{ steps.prepare-test.outputs.tools-url }}
run: |
wget "$CODEQL_URL"
- uses: ./../action/init
with:
tools: ./codeql-bundle.tar.gz
- name: Build code
shell: bash
run: ./build.sh
- uses: ./../action/analyze

20
github/codeql-action-v1/pr-checks/checks/test-proxy.yml Normal file
View file

@ -0,0 +1,20 @@
name: "Proxy test"
description: "Tests using a proxy specified by the https_proxy environment variable"
versions: ["latest"]
operatingSystems: ["ubuntu"]
container:
image: ubuntu:22.04
options: --dns 127.0.0.1
services:
squid-proxy:
image: ubuntu/squid:latest
ports:
- 3128:3128
env:
https_proxy: http://squid-proxy:3128
steps:
- uses: ./../action/init
with:
languages: javascript
tools: ${{ steps.prepare-test.outputs.tools-url }}
- uses: ./../action/analyze

53
github/codeql-action-v1/pr-checks/checks/unset-environment.yml Normal file
View file

@ -0,0 +1,53 @@
name: "Test unsetting environment variables"
description: "An end-to-end integration test that unsets some environment variables"
operatingSystems: ["ubuntu"]
steps:
- uses: ./../action/init
with:
db-location: ${{ runner.temp }}/customDbLocation
tools: ${{ steps.prepare-test.outputs.tools-url }}
- name: Build code
shell: bash
# Disable Kotlin analysis while it's incompatible with Kotlin 1.8, until we find a
# workaround for our PR checks.
run: env -i CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN=true PATH="$PATH" HOME="$HOME" ./build.sh
- uses: ./../action/analyze
id: analysis
- shell: bash
run: |
CPP_DB="${{ fromJson(steps.analysis.outputs.db-locations).cpp }}"
if [[ ! -d "$CPP_DB" ]] || [[ ! "$CPP_DB" == "${RUNNER_TEMP}/customDbLocation/cpp" ]]; then
echo "::error::Did not create a database for CPP, or created it in the wrong location." \
"Expected location was '${RUNNER_TEMP}/customDbLocation/cpp' but actual was '${CPP_DB}'"
exit 1
fi
CSHARP_DB="${{ fromJson(steps.analysis.outputs.db-locations).csharp }}"
if [[ ! -d "$CSHARP_DB" ]] || [[ ! "$CSHARP_DB" == "${RUNNER_TEMP}/customDbLocation/csharp" ]]; then
echo "::error::Did not create a database for C Sharp, or created it in the wrong location." \
"Expected location was '${RUNNER_TEMP}/customDbLocation/csharp' but actual was '${CSHARP_DB}'"
exit 1
fi
GO_DB="${{ fromJson(steps.analysis.outputs.db-locations).go }}"
if [[ ! -d "$GO_DB" ]] || [[ ! "$GO_DB" == "${RUNNER_TEMP}/customDbLocation/go" ]]; then
echo "::error::Did not create a database for Go, or created it in the wrong location." \
"Expected location was '${RUNNER_TEMP}/customDbLocation/go' but actual was '${GO_DB}'"
exit 1
fi
JAVA_DB="${{ fromJson(steps.analysis.outputs.db-locations).java }}"
if [[ ! -d "$JAVA_DB" ]] || [[ ! "$JAVA_DB" == "${RUNNER_TEMP}/customDbLocation/java" ]]; then
echo "::error::Did not create a database for Java, or created it in the wrong location." \
"Expected location was '${RUNNER_TEMP}/customDbLocation/java' but actual was '${JAVA_DB}'"
exit 1
fi
JAVASCRIPT_DB="${{ fromJson(steps.analysis.outputs.db-locations).javascript }}"
if [[ ! -d "$JAVASCRIPT_DB" ]] || [[ ! "$JAVASCRIPT_DB" == "${RUNNER_TEMP}/customDbLocation/javascript" ]]; then
echo "::error::Did not create a database for Javascript, or created it in the wrong location." \
"Expected location was '${RUNNER_TEMP}/customDbLocation/javascript' but actual was '${JAVASCRIPT_DB}'"
exit 1
fi
PYTHON_DB="${{ fromJson(steps.analysis.outputs.db-locations).python }}"
if [[ ! -d "$PYTHON_DB" ]] || [[ ! "$PYTHON_DB" == "${RUNNER_TEMP}/customDbLocation/python" ]]; then
echo "::error::Did not create a database for Python, or created it in the wrong location." \
"Expected location was '${RUNNER_TEMP}/customDbLocation/python' but actual was '${PYTHON_DB}'"
exit 1
fi

20
github/codeql-action-v1/pr-checks/checks/upload-ref-sha-input.yml Normal file
View file

@ -0,0 +1,20 @@
name: "Upload-sarif: 'ref' and 'sha' from inputs"
description: "Checks that specifying 'ref' and 'sha' as inputs works"
steps:
- uses: ./../action/init
with:
tools: ${{ steps.prepare-test.outputs.tools-url }}
languages: cpp,csharp,java,javascript,python
config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{ github.sha }}
- name: Build code
shell: bash
run: ./build.sh
- uses: ./../action/analyze
with:
ref: 'refs/heads/main'
sha: '5e235361806c361d4d3f8859e3c897658025a9a2'
upload: false
- uses: ./../action/upload-sarif
with:
ref: 'refs/heads/main'
sha: '5e235361806c361d4d3f8859e3c897658025a9a2'

67
github/codeql-action-v1/pr-checks/checks/with-checkout-path.yml Normal file
View file

@ -0,0 +1,67 @@
name: "Use a custom `checkout_path`"
description: "Checks that a custom `checkout_path` will find the proper commit_oid"
steps:
# Check out the actions repo again, but at a different location.
# choose an arbitrary SHA so that we can later test that the commit_oid is not from main
- uses: actions/checkout@v3
with:
ref: 474bbf07f9247ffe1856c6a0f94aeeb10e7afee6
path: x/y/z/some-path
- uses: ./../action/init
with:
tools: ${{ steps.prepare-test.outputs.tools-url }}
# it's enough to test one compiled language and one interpreted language
languages: csharp,javascript
source-path: x/y/z/some-path/tests/multi-language-repo
debug: true
- name: Build code (non-windows)
shell: bash
if: ${{ runner.os != 'Windows' }}
run: |
$CODEQL_RUNNER x/y/z/some-path/tests/multi-language-repo/build.sh
- name: Build code (windows)
shell: bash
if: ${{ runner.os == 'Windows' }}
run: |
x/y/z/some-path/tests/multi-language-repo/build.sh
- uses: ./../action/analyze
with:
checkout_path: x/y/z/some-path/tests/multi-language-repo
ref: v1.1.0
sha: 474bbf07f9247ffe1856c6a0f94aeeb10e7afee6
upload: false
- uses: ./../action/upload-sarif
with:
ref: v1.1.0
sha: 474bbf07f9247ffe1856c6a0f94aeeb10e7afee6
checkout_path: x/y/z/some-path/tests/multi-language-repo
- name: Verify SARIF after upload
shell: bash
run: |
EXPECTED_COMMIT_OID="474bbf07f9247ffe1856c6a0f94aeeb10e7afee6"
EXPECTED_REF="v1.1.0"
EXPECTED_CHECKOUT_URI_SUFFIX="/x/y/z/some-path/tests/multi-language-repo"
ACTUAL_COMMIT_OID="$(cat "$RUNNER_TEMP/payload.json" | jq -r .commit_oid)"
ACTUAL_REF="$(cat "$RUNNER_TEMP/payload.json" | jq -r .ref)"
ACTUAL_CHECKOUT_URI="$(cat "$RUNNER_TEMP/payload.json" | jq -r .checkout_uri)"
if [[ "$EXPECTED_COMMIT_OID" != "$ACTUAL_COMMIT_OID" ]]; then
echo "::error Invalid commit oid. Expected: $EXPECTED_COMMIT_OID Actual: $ACTUAL_COMMIT_OID"
echo "$RUNNER_TEMP/payload.json"
exit 1
fi
if [[ "$EXPECTED_REF" != "$ACTUAL_REF" ]]; then
echo "::error Invalid ref. Expected: '$EXPECTED_REF' Actual: '$ACTUAL_REF'"
echo "$RUNNER_TEMP/payload.json"
exit 1
fi
if [[ "$ACTUAL_CHECKOUT_URI" != *$EXPECTED_CHECKOUT_URI_SUFFIX ]]; then
echo "::error Invalid checkout URI suffix. Expected suffix: $EXPECTED_CHECKOUT_URI_SUFFIX Actual uri: $ACTUAL_CHECKOUT_URI"
echo "$RUNNER_TEMP/payload.json"
exit 1
fi

145
github/codeql-action-v1/pr-checks/sync.py Normal file
View file

@ -0,0 +1,145 @@
import ruamel.yaml
import os
# The default set of CodeQL Bundle versions to use for the PR checks.
defaultTestVersions = [
# The oldest supported CodeQL version: 2.6.3. If bumping, update `CODEQL_MINIMUM_VERSION` in `codeql.ts`
"stable-20211005",
# The last CodeQL release in the 2.7 series: 2.7.6.
"stable-20220120",
# The last CodeQL release in the 2.8 series: 2.8.5.
"stable-20220401",
# The version of CodeQL currently in the toolcache. Typically either the latest release or the one before.
"cached",
# The latest release of CodeQL.
"latest",
# A nightly build directly from the our private repo, built in the last 24 hours.
"nightly-latest"
]
def isCompatibleWithLatestImages(version):
if version in ["cached", "latest", "nightly-latest"]:
return True
date = version.split("-")[1]
# The first version of the CodeQL CLI compatible with `ubuntu-22.04` and `windows-2022` is
# 2.8.2. This appears in CodeQL Bundle version codeql-bundle-20220224.
return date >= "20220224"
def operatingSystemsForVersion(version):
if isCompatibleWithLatestImages(version):
return ["ubuntu-latest", "macos-latest", "windows-latest"]
else:
return ["ubuntu-20.04", "macos-latest", "windows-2019"]
header = """# Warning: This file is generated automatically, and should not be modified.
# Instead, please modify the template in the pr-checks directory and run:
# pip install ruamel.yaml && python3 sync.py
# to regenerate this file.
"""
class NonAliasingRTRepresenter(ruamel.yaml.representer.RoundTripRepresenter):
def ignore_aliases(self, data):
return True
def writeHeader(checkStream):
checkStream.write(header)
yaml = ruamel.yaml.YAML()
yaml.Representer = NonAliasingRTRepresenter
allJobs = {}
for file in os.listdir('checks'):
with open(f"checks/{file}", 'r') as checkStream:
checkSpecification = yaml.load(checkStream)
matrix = []
for version in checkSpecification.get('versions', defaultTestVersions):
runnerImages = operatingSystemsForVersion(version)
if checkSpecification.get('operatingSystems', None):
runnerImages = [image for image in runnerImages for operatingSystem in checkSpecification['operatingSystems']
if image.startswith(operatingSystem)]
for runnerImage in runnerImages:
matrix.append({
'os': runnerImage,
'version': version
})
steps = [
{
'name': 'Check out repository',
'uses': 'actions/checkout@v3'
},
{
'name': 'Prepare test',
'id': 'prepare-test',
'uses': './.github/prepare-test',
'with': {
'version': '${{ matrix.version }}'
}
}
]
if any(not isCompatibleWithLatestImages(m['version']) for m in matrix):
steps.append({
'name': 'Set up Go',
'if': "matrix.os == 'ubuntu-20.04' || matrix.os == 'windows-2019'",
'uses': 'actions/setup-go@v3',
'with': {
'go-version': '^1.13.1'
}
})
steps.extend(checkSpecification['steps'])
checkJob = {
'strategy': {
'matrix': {
'include': matrix
}
},
'name': checkSpecification['name'],
'timeout-minutes': 45,
'runs-on': '${{ matrix.os }}',
'steps': steps
}
for key in ["env", "container", "services"]:
if key in checkSpecification:
checkJob[key] = checkSpecification[key]
checkJob['env'] = checkJob.get('env', {})
if 'CODEQL_ACTION_TEST_MODE' not in checkJob['env']:
checkJob['env']['CODEQL_ACTION_TEST_MODE'] = True
checkName = file[:len(file) - 4]
with open(f"../.github/workflows/__{checkName}.yml", 'w') as output_stream:
writeHeader(output_stream)
yaml.dump({
'name': f"PR Check - {checkSpecification['name']}",
'env': {
'GITHUB_TOKEN': '${{ secrets.GITHUB_TOKEN }}',
'GO111MODULE': 'auto',
# Disable Kotlin analysis while it's incompatible with Kotlin 1.8, until we find a
# workaround for our PR checks.
'CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN': 'true',
},
'on': {
'push': {
'branches': ['main', 'releases/v1', 'releases/v2']
},
'pull_request': {
'types': ["opened", "synchronize", "reopened", "ready_for_review"]
},
'workflow_dispatch': {}
},
'jobs': {
checkName: checkJob
}
}, output_stream)