loongclaw/.github/workflows/codeql.yml at dev · opc-source/loongclaw · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
name: CodeQL

on:
  push:
    branches:
      - dev
      - main
      - release
      - 'release/**'
  pull_request:
    branches:
      - dev
      - main
      - release
      - 'release/**'
  schedule:
    - cron: "0 5 * * 1"

jobs:
  analyze:
    permissions:
      actions: read
      contents: read
      security-events: write
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
      matrix:
        language:
          - rust

    steps:
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd

      - name: Detect Advanced Security availability
        id: ghas
        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd
        with:
          script: |
            const { owner, repo } = context.repo;
            try {
              const { data } = await github.rest.repos.get({ owner, repo });
              const status = data?.security_and_analysis?.advanced_security?.status;
              const enabled = status === "enabled";
              core.info(`security_and_analysis.advanced_security.status=${status ?? "unavailable"}`);
              core.setOutput("enabled", enabled ? "true" : "false");
              if (!enabled) {
                core.notice("GitHub Advanced Security is unavailable; skipping CodeQL upload to avoid false-red CI.");
              }
            } catch (error) {
              core.warning(`failed to inspect repository security settings; skipping CodeQL. error=${error.message}`);
              core.setOutput("enabled", "false");
            }

      - name: Initialize CodeQL
        if: steps.ghas.outputs.enabled == 'true'
        uses: github/codeql-action/init@c10b8064de6f491fea524254123dbe5e09572f13
        with:
          languages: ${{ matrix.language }}
          queries: security-and-quality

      - name: Autobuild
        if: steps.ghas.outputs.enabled == 'true'
        uses: github/codeql-action/autobuild@c10b8064de6f491fea524254123dbe5e09572f13

      - name: Analyze
        if: steps.ghas.outputs.enabled == 'true'
        uses: github/codeql-action/analyze@c10b8064de6f491fea524254123dbe5e09572f13
        timeout-minutes: 10

      - name: Skip CodeQL when GHAS is unavailable
        if: steps.ghas.outputs.enabled != 'true'
        run: |
          echo "GitHub Advanced Security is not enabled for this repository."
          echo "Skipping CodeQL analyze/upload step to keep CI green for code changes."