curl/.github/workflows/codeql.yml at master · oasislinux/curl · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
# Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
#
# SPDX-License-Identifier: curl

name: 'CodeQL'

'on':
  push:
    branches:
      - master
      - '*/ci'
    paths-ignore:
      - '**/*.md'
      - '.circleci/**'
      - 'appveyor.*'
      - 'projects/**'
      - 'tests/data/**'
  pull_request:
    branches:
      - master
    paths-ignore:
      - '**/*.md'
      - '.circleci/**'
      - 'appveyor.*'
      - 'projects/**'
      - 'tests/data/**'
  schedule:
    - cron: '0 0 * * 4'

concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
  cancel-in-progress: true

permissions: {}

env:
  DO_NOT_TRACK: '1'

jobs:
  gha_python:
    if: ${{ github.repository_owner == 'curl' || github.event_name != 'schedule' }}
    name: 'GHA and Python'
    runs-on: ubuntu-latest
    permissions:
      security-events: write  # To create/update security events
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false

      - name: 'initialize'
        uses: github/codeql-action/init@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
        with:
          languages: actions, python
          queries: security-extended

      - name: 'perform analysis'
        uses: github/codeql-action/analyze@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4

  c:
    if: ${{ github.repository_owner == 'curl' || github.event_name != 'schedule' }}
    name: 'C'
    runs-on: ${{ matrix.platform == 'Linux' && 'ubuntu-latest' || 'windows-2022' }}
    permissions:
      security-events: write  # To create/update security events
    strategy:
      fail-fast: false
      matrix:
        platform: [Linux, Windows]
    env:
      MATRIX_PLATFORM: '${{ matrix.platform }}'
    steps:
      - name: 'install prereqs'
        if: ${{ matrix.platform == 'Linux' }}
        timeout-minutes: 2
        run: |
          sudo find /etc/apt/sources.list.d -type f -not -name 'ubuntu.sources' -delete -print
          sudo sed -i 's/priority:1/priority:9/' /etc/apt/apt-mirrors.txt; cat /etc/apt/apt-mirrors.txt
          sudo apt-get -o Dpkg::Use-Pty=0 update
          sudo apt-get -o Dpkg::Use-Pty=0 install \
            libpsl-dev libbrotli-dev libidn2-dev libssh2-1-dev libssh-dev \
            libnghttp2-dev libldap-dev libkrb5-dev libgnutls28-dev libwolfssl-dev
          HOMEBREW_NO_AUTO_UPDATE=1 /home/linuxbrew/.linuxbrew/bin/brew install c-ares gsasl libnghttp3 libngtcp2 mbedtls rustls-ffi

      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false

      - name: 'delete test input C files'
        shell: bash
        run: find tests/data -name '*.c' -delete

      - name: 'initialize'
        # https://github.com/github/codeql-action/blob/main/init/action.yml
        uses: github/codeql-action/init@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
        with:
          languages: cpp
          build-mode: manual
          trap-caching: false

      - name: 'build'
        timeout-minutes: 10
        shell: bash
        run: |
          if [ "${MATRIX_PLATFORM}" = 'Windows' ]; then
            cmake -B . -DBUILD_SHARED_LIBS=OFF -DCURL_DROP_UNUSED=ON -DCURL_WERROR=ON \
              -DCMAKE_VS_GLOBALS=TrackFileAccess=false \
              -DCURL_USE_SCHANNEL=ON -DCURL_USE_LIBPSL=OFF -DUSE_WIN32_IDN=ON
            cmake --build . --verbose
            src/Debug/curl.exe --disable --version
          else
            eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)"

            export PKG_CONFIG_PATH

            # MultiSSL
            PKG_CONFIG_PATH="$(brew --prefix c-ares)/lib/pkgconfig:$(brew --prefix mbedtls)/lib/pkgconfig:$(brew --prefix rustls-ffi)/lib/pkgconfig:$(brew --prefix gsasl)/lib/pkgconfig"
            cmake -B _bld1 -G Ninja -DCURL_DISABLE_TYPECHECK=ON -DCURL_WERROR=ON -DENABLE_DEBUG=ON \
              -DCURL_USE_GNUTLS=ON -DCURL_USE_MBEDTLS=ON -DCURL_USE_RUSTLS=ON -DCURL_USE_WOLFSSL=ON \
              -DCURL_USE_GSASL=ON -DCURL_USE_GSSAPI=ON -DUSE_SSLS_EXPORT=ON -DUSE_ECH=ON -DENABLE_ARES=ON \
              -DCURL_DISABLE_VERBOSE_STRINGS=ON
            cmake --build _bld1
            cmake --build _bld1 --target testdeps
            cmake --build _bld1 --target curl-examples-build

            # HTTP/3
            PKG_CONFIG_PATH="$(brew --prefix libnghttp3)/lib/pkgconfig:$(brew --prefix libngtcp2)/lib/pkgconfig:$(brew --prefix gsasl)/lib/pkgconfig"
            cmake -B _bld2 -G Ninja -DCURL_DISABLE_TYPECHECK=ON -DCURL_WERROR=ON \
              -DCURL_USE_OPENSSL=ON -DOPENSSL_ROOT_DIR="$(brew --prefix openssl)" -DUSE_NGTCP2=ON \
              -DCURL_USE_LIBSSH2=OFF -DCURL_USE_LIBSSH=ON \
              -DCURL_USE_GSASL=ON -DCURL_USE_GSSAPI=ON -DUSE_SSLS_EXPORT=ON
            cmake --build _bld2
            cmake --build _bld2 --target testdeps
            cmake --build _bld2 --target curl-examples-build

            _bld1/src/curl --disable --version
            _bld2/src/curl --disable --version
          fi

      - name: 'perform analysis'
        # https://github.com/github/codeql-action/blob/main/analyze/action.yml
        uses: github/codeql-action/analyze@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4