mirror of
https://github.com/OpenTTD/OpenTTD
synced 2026-01-15 16:32:41 +01:00
b28b35c239
Each cache is ~1GB. And you can only have 10GB of cache. So after 10 runs, our cache is full of trap caches. The kicker? We don't actually benefit from this cache. It is only used if you re-run CodeQL over the exact same codebase (without changes), to quickly re-evaluate the latest CodeQL set. We are way to active to have any benefit from that, and we don't run CodeQL on a schedule to ever pick up on the cache.
123 lines
3.2 KiB
YAML
123 lines
3.2 KiB
YAML
name: CodeQL
|
|
|
|
on:
|
|
push:
|
|
branches:
|
|
- master
|
|
pull_request:
|
|
# The branches below must be a subset of the branches above
|
|
branches:
|
|
- master
|
|
|
|
concurrency:
|
|
group: ${{ github.workflow }}-${{ github.ref }}
|
|
cancel-in-progress: ${{ github.ref != 'refs/heads/master' }}
|
|
|
|
jobs:
|
|
analyze:
|
|
name: Analyze
|
|
runs-on: ubuntu-latest
|
|
permissions:
|
|
actions: read
|
|
contents: read
|
|
security-events: write
|
|
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Setup vcpkg caching
|
|
uses: actions/github-script@v7
|
|
with:
|
|
script: |
|
|
core.exportVariable('ACTIONS_CACHE_URL', process.env.ACTIONS_CACHE_URL || '');
|
|
core.exportVariable('ACTIONS_RUNTIME_TOKEN', process.env.ACTIONS_RUNTIME_TOKEN || '');
|
|
core.exportVariable('VCPKG_BINARY_SOURCES', 'clear;x-gha,readwrite')
|
|
|
|
- name: Install vcpkg
|
|
run: |
|
|
git clone https://github.com/microsoft/vcpkg ${{ runner.temp }}/vcpkg
|
|
${{ runner.temp }}/vcpkg/bootstrap-vcpkg.sh -disableMetrics
|
|
|
|
- name: Install dependencies
|
|
run: |
|
|
echo "::group::Update apt"
|
|
sudo apt-get update
|
|
echo "::endgroup::"
|
|
|
|
echo "::group::Install dependencies"
|
|
sudo apt-get install -y --no-install-recommends \
|
|
liballegro4-dev \
|
|
libcurl4-openssl-dev \
|
|
libfontconfig-dev \
|
|
libharfbuzz-dev \
|
|
libicu-dev \
|
|
liblzma-dev \
|
|
liblzo2-dev \
|
|
libopus-dev \
|
|
libopusfile-dev \
|
|
libsdl2-dev \
|
|
zlib1g-dev \
|
|
# EOF
|
|
|
|
echo "::group::Install vcpkg dependencies"
|
|
|
|
# Disable vcpkg integration, as we mostly use system libraries.
|
|
mv vcpkg.json vcpkg-disabled.json
|
|
|
|
# We only use breakpad from vcpkg, as its CMake files
|
|
# are a bit special. So the Ubuntu's variant doesn't work.
|
|
${{ runner.temp }}/vcpkg/vcpkg install breakpad
|
|
|
|
echo "::endgroup::"
|
|
env:
|
|
DEBIAN_FRONTEND: noninteractive
|
|
|
|
- name: Prepare build
|
|
run: |
|
|
mkdir build
|
|
cd build
|
|
|
|
echo "::group::CMake"
|
|
cmake .. -DCMAKE_TOOLCHAIN_FILE=${{ runner.temp }}/vcpkg/scripts/buildsystems/vcpkg.cmake
|
|
echo "::endgroup::"
|
|
|
|
- name: Initialize CodeQL
|
|
uses: github/codeql-action/init@v3
|
|
with:
|
|
languages: cpp
|
|
config-file: ./.github/codeql/codeql-config.yml
|
|
trap-caching: false
|
|
|
|
- name: Build
|
|
run: |
|
|
cd build
|
|
|
|
echo "::group::Build"
|
|
echo "Running on $(nproc) cores"
|
|
cmake --build . -j $(nproc)
|
|
echo "::endgroup::"
|
|
|
|
- name: Perform CodeQL Analysis
|
|
uses: github/codeql-action/analyze@v3
|
|
with:
|
|
category: /language:cpp
|
|
upload: False
|
|
output: sarif-results
|
|
|
|
- name: Filter out table & generated code
|
|
uses: advanced-security/filter-sarif@v1
|
|
with:
|
|
patterns: |
|
|
+**/*.*
|
|
-**/table/*.*
|
|
-**/generated/**/*.*
|
|
-**/tests/*.*
|
|
input: sarif-results/cpp.sarif
|
|
output: sarif-results/cpp.sarif
|
|
|
|
- name: Upload results
|
|
uses: github/codeql-action/upload-sarif@v3
|
|
with:
|
|
sarif_file: sarif-results/cpp.sarif
|