1#
2#  Copyright (c) 2022, The OpenThread Authors.
3#  All rights reserved.
4#
5#  Redistribution and use in source and binary forms, with or without
6#  modification, are permitted provided that the following conditions are met:
7#  1. Redistributions of source code must retain the above copyright
8#     notice, this list of conditions and the following disclaimer.
9#  2. Redistributions in binary form must reproduce the above copyright
10#     notice, this list of conditions and the following disclaimer in the
11#     documentation and/or other materials provided with the distribution.
12#  3. Neither the name of the copyright holder nor the
13#     names of its contributors may be used to endorse or promote products
14#     derived from this software without specific prior written permission.
15#
16#  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
17#  AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18#  IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19#  ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
20#  LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
21#  CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
22#  SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
23#  INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
24#  CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
25#  ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
26#  POSSIBILITY OF SUCH DAMAGE.
27#
28
29name: "CodeQL"
30
31on:
32  push:
33    branches: [ "main" ]
34  pull_request:
35    branches: [ "main" ]
36
37permissions:  # added using https://github.com/step-security/secure-workflows
38  contents: read
39
40jobs:
41  analyze:
42    name: Analyze
43    runs-on: ubuntu-latest
44    permissions:
45      actions: read
46      contents: read
47      security-events: write
48
49    strategy:
50      fail-fast: false
51      matrix:
52        language: [ 'cpp', 'python' ]
53        # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
54
55    steps:
56    - name: Harden Runner
57      uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
58      with:
59        egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
60
61    - name: Checkout repository
62      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
63
64    - name: Bootstrap
65      run: |
66        sudo apt-get --no-install-recommends install -y ninja-build libreadline-dev libncurses-dev
67
68    - name: Initialize CodeQL
69      uses: github/codeql-action/init@429e1977040da7a23b6822b13c129cd1ba93dbb2 # v3.26.2
70      with:
71        languages: ${{ matrix.language }}
72        # If you wish to specify custom queries, you can do so here or in a config file.
73        # By default, queries listed here will override any specified in a config file.
74        # Prefix the list here with "+" to use these queries and those in the config file.
75
76        # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
77        # queries: security-extended,security-and-quality
78
79    - run: |
80        ./script/test build
81
82    - name: Perform CodeQL Analysis
83      uses: github/codeql-action/analyze@429e1977040da7a23b6822b13c129cd1ba93dbb2 # v3.26.2
84      with:
85        category: "/language:${{matrix.language}}"
86