From 13d0e7819e17727005c050550770ce3b7761de25 Mon Sep 17 00:00:00 2001 From: Armin Date: Wed, 19 Feb 2025 11:08:13 +0100 Subject: [PATCH 1/4] Add CodeQL Workflow --- .github/workflows/codeql.yml | 52 ++++++++++++++++++++++++++++++++++++ 1 file changed, 52 insertions(+) create mode 100644 .github/workflows/codeql.yml diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 0000000..49b3232 --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,52 @@ +# This workflow configures CodeQL as the auto-configuration fails for Java/Kotlin. +# +# @author Armin Schnabel +# @version 1.0.0 +# @since 4.2.0 +name: "CodeQL Analysis" + +on: + push: + branches: [ main ] + pull_request: + branches: [ main ] + schedule: + - cron: '30 1 * * 1' + +jobs: + analyze: + name: Analyze (Kotlin) + runs-on: ubuntu-latest + + steps: + - name: Checkout repository + uses: actions/checkout@v3 + + - name: Initialize CodeQL + uses: github/codeql-action/init@v2 + with: + languages: java-kotlin + build-mode: manual + + - name: Set up JDK + uses: actions/setup-java@v3 + with: + distribution: 'temurin' + java-version: '17' + + - name: Cache Gradle dependencies + uses: actions/cache@v3 + with: + path: ~/.gradle/caches + # Only update cache on hash change (gradle build files and the wrapper properties) + key: gradle-${{ hashFiles('**/*.gradle*', '**/gradle-wrapper.properties') }} + restore-keys: gradle- + + - name: Grant execute permission for Gradle wrapper + run: chmod +x gradlew + + - name: Build with Gradle + run: ./gradlew build + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v2 From c614e4b0f0855220a4ce2233c8272f04bce35ae5 Mon Sep 17 00:00:00 2001 From: Armin Date: Wed, 19 Feb 2025 11:15:53 +0100 Subject: [PATCH 2/4] Fix workflow --- .github/workflows/codeql.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 49b3232..2205c16 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -34,6 +34,10 @@ jobs: distribution: 'temurin' java-version: '17' + - name: Add gradle.properties + run: | + cp gradle.properties.template gradle.properties + - name: Cache Gradle dependencies uses: actions/cache@v3 with: From 5570e88a4cf86f9265ac295ff16f7360032122f8 Mon Sep 17 00:00:00 2001 From: Armin Date: Wed, 19 Feb 2025 11:17:14 +0100 Subject: [PATCH 3/4] Set workflow permissions explicitly (fix warnings) --- .github/workflows/codeql.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 2205c16..5fa81fd 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -13,6 +13,10 @@ on: schedule: - cron: '30 1 * * 1' +permissions: + contents: read + security-events: write + jobs: analyze: name: Analyze (Kotlin) From ce612a3e5e7bafe216401881abac9cb85c12780b Mon Sep 17 00:00:00 2001 From: Armin Date: Wed, 19 Feb 2025 11:46:14 +0100 Subject: [PATCH 4/4] Adjust workflow --- .github/workflows/codeql.yml | 43 ++++++++++++++++++------------ .github/workflows/gradle_build.yml | 8 ++++++ 2 files changed, 34 insertions(+), 17 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 5fa81fd..ff2341c 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -11,26 +11,34 @@ on: pull_request: branches: [ main ] schedule: - - cron: '30 1 * * 1' - -permissions: - contents: read - security-events: write + - cron: '23 11 * * 2' jobs: analyze: - name: Analyze (Kotlin) - runs-on: ubuntu-latest + name: Analyze (${{ matrix.language }}) + runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} + + permissions: + # required for all workflows + security-events: write + + strategy: + fail-fast: false + matrix: + include: + - language: java-kotlin + build-mode: manual # autobuild fails (gradle.properties required) steps: - name: Checkout repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Initialize CodeQL uses: github/codeql-action/init@v2 with: - languages: java-kotlin - build-mode: manual + # 'java-kotlin' to analyze code written in Java, Kotlin or both + languages: ${{ matrix.language }} + build-mode: ${{ matrix.build-mode }} - name: Set up JDK uses: actions/setup-java@v3 @@ -38,10 +46,6 @@ jobs: distribution: 'temurin' java-version: '17' - - name: Add gradle.properties - run: | - cp gradle.properties.template gradle.properties - - name: Cache Gradle dependencies uses: actions/cache@v3 with: @@ -50,11 +54,16 @@ jobs: key: gradle-${{ hashFiles('**/*.gradle*', '**/gradle-wrapper.properties') }} restore-keys: gradle- - - name: Grant execute permission for Gradle wrapper - run: chmod +x gradlew + #- name: Grant execute permission for Gradle wrapper + # run: chmod +x gradlew + + - name: Add gradle.properties + run: cp gradle.properties.template gradle.properties - name: Build with Gradle run: ./gradlew build - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v2 + uses: github/codeql-action/analyze@v3 + with: + category: "/language:${{matrix.language}}" diff --git a/.github/workflows/gradle_build.yml b/.github/workflows/gradle_build.yml index fbd1bcb..a99d71d 100644 --- a/.github/workflows/gradle_build.yml +++ b/.github/workflows/gradle_build.yml @@ -34,5 +34,13 @@ jobs: run: | cp gradle.properties.template gradle.properties + - name: Cache Gradle dependencies + uses: actions/cache@v3 + with: + path: ~/.gradle/caches + # Only update cache on hash change (gradle build files and the wrapper properties) + key: gradle-${{ hashFiles('**/*.gradle*', '**/gradle-wrapper.properties') }} + restore-keys: gradle- + - name: Build with Gradle run: ./gradlew build