--- # Run CodeQL to analyze C/C++ and Python code. name: CodeQL on: pull_request: types: [opened, reopened, labeled, synchronize] branches: [master] push: branches: [master] schedule: - cron: "27 2 * * 1" env: DISABLE_TELEMETRY: 1 concurrency: group: codeql-${{ github.ref }} cancel-in-progress: true jobs: prepare: name: Prepare Jobs runs-on: ubuntu-latest outputs: cpp: ${{ steps.cpp.outputs.run }} python: ${{ steps.python.outputs.run }} go: ${{ steps.go.outputs.run }} steps: - name: Clone repository uses: actions/checkout@v4 with: submodules: recursive fetch-depth: 0 - name: Check if we should always run id: always run: | if [ "${{ github.event_name }}" = "pull_request" ]; then if [ "${{ contains(github.event.pull_request.labels.*.name, 'run-ci/codeql') }}" = "true" ]; then echo "run=true" >> "${GITHUB_OUTPUT}" echo '::notice::Found ci/codeql label, unconditionally running all CodeQL checks.' else echo "run=false" >> "${GITHUB_OUTPUT}" fi else echo "run=true" >> "${GITHUB_OUTPUT}" fi - name: Check for C/C++ changes id: cpp run: | if [ "${{ steps.always.outputs.run }}" = "false" ]; then if git diff --name-only origin/${{ github.base_ref }} HEAD | grep -Eq '.*\.[ch](xx|\+\+)?' ; then echo "run=true" >> "${GITHUB_OUTPUT}" echo '::notice::C/C++ code has changed, need to run CodeQL.' else echo "run=false" >> "${GITHUB_OUTPUT}" fi else echo "run=true" >> "${GITHUB_OUTPUT}" fi - name: Check for python changes id: python run: | if [ "${{ steps.always.outputs.run }}" = "false" ]; then if git diff --name-only origin/${{ github.base_ref }} HEAD | grep -Eq 'src/collectors/python.d.plugin/.*\.py' ; then echo "run=true" >> "${GITHUB_OUTPUT}" echo '::notice::Python code has changed, need to run CodeQL.' else echo "run=false" >> "${GITHUB_OUTPUT}" fi else echo "run=true" >> "${GITHUB_OUTPUT}" fi - name: Check for Go changes id: go run: | if [ "${{ steps.always.outputs.run }}" = "false" ]; then if git diff --name-only origin/${{ github.base_ref }} HEAD | grep -Eq 'src/go/*\.go' ; then echo "run=true" >> "${GITHUB_OUTPUT}" echo '::notice::Go code has changed, need to run CodeQL.' else echo "run=false" >> "${GITHUB_OUTPUT}" fi else echo "run=true" >> "${GITHUB_OUTPUT}" fi analyze-cpp: name: Analyze C/C++ runs-on: ubuntu-latest needs: prepare if: needs.prepare.outputs.cpp == 'true' permissions: security-events: write steps: - name: Git clone repository uses: actions/checkout@v4 with: submodules: recursive fetch-depth: 0 - name: Initialize CodeQL uses: github/codeql-action/init@v3 with: languages: cpp config-file: ./.github/codeql/c-cpp-config.yml - name: Prepare environment run: ./packaging/installer/install-required-packages.sh --dont-wait --non-interactive netdata - name: Build netdata run: ./netdata-installer.sh --dont-start-it --disable-telemetry --dont-wait --install-prefix /tmp/install --one-time-build - name: Run CodeQL uses: github/codeql-action/analyze@v3 with: category: "/language:cpp" analyze-python: name: Analyze Python runs-on: ubuntu-latest needs: prepare if: needs.prepare.outputs.python == 'true' permissions: security-events: write steps: - name: Git clone repository uses: actions/checkout@v4 with: submodules: recursive fetch-depth: 0 - name: Initialize CodeQL uses: github/codeql-action/init@v3 with: config-file: ./.github/codeql/python-config.yml languages: python - name: Run CodeQL uses: github/codeql-action/analyze@v3 with: category: "/language:python" analyze-go: name: Analyze Go runs-on: ubuntu-latest needs: prepare if: needs.prepare.outputs.go == 'true' strategy: matrix: tree: - src/go/collectors/go.d.plugin permissions: security-events: write steps: - name: Git clone repository uses: actions/checkout@v4 with: submodules: recursive fetch-depth: 0 - name: Initialize CodeQL uses: github/codeql-action/init@v3 with: languages: go - name: Autobuild uses: github/codeql-action/autobuild@v3 with: working-directory: ${{ matrix.tree }} - name: Run CodeQL uses: github/codeql-action/analyze@v3 with: category: "/language:go"