chore: update global workflows (#3813)

Co-authored-by: ReenigneArcher <42013603+ReenigneArcher@users.noreply.github.com>
2025-08-10 00:52:16 +00:00 · 2025-04-25 19:09:06 -04:00
parent 65b0217a90
commit 1df4c89026
24 changed files with 256 additions and 177 deletions
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -1,17 +1,21 @@
 ---
-# This action is centrally managed in https://github.com/<organization>/.github/
+# This workflow is centrally managed in https://github.com/<organization>/.github/
 # Don't make changes to this file in this repo as they will be overwritten with changes made to the same file in
 # the above-mentioned repo.

 # This workflow will analyze all supported languages in the repository using CodeQL Analysis.

 name: "CodeQL"
+permissions:
+  contents: read

 on:
  push:
-    branches: ["master"]
+    branches:
+      - master
  pull_request:
-    branches: ["master"]
+    branches:
+      - master
  schedule:
    - cron: '00 12 * * 0'  # every Sunday at 12:00 UTC

@@ -22,14 +26,17 @@ concurrency:
 jobs:
  languages:
    name: Get language matrix
-    runs-on: ubuntu-latest
    outputs:
      matrix: ${{ steps.lang.outputs.result }}
      continue: ${{ steps.continue.outputs.result }}
+    runs-on: ubuntu-latest
    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
      - name: Get repo languages
-        uses: actions/github-script@v7
        id: lang
+        uses: actions/github-script@v7
        with:
          script: |
            // CodeQL supports ['cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby', 'swift']
@@ -54,6 +61,22 @@ jobs:
            // Track languages we've already added to avoid duplicates
            const addedLanguages = new Set()

+            // Check if workflow files exist to determine if we should add actions language
+            const fs = require('fs');
+            const hasYmlFiles = fs.existsSync('.github/workflows') &&
+            fs.readdirSync('.github/workflows').some(file => file.endsWith('.yml') || file.endsWith('.yaml'));
+
+            // Add actions language if workflow files exist
+            if (hasYmlFiles) {
+              console.log('Found GitHub Actions workflow files. Adding actions to the matrix.');
+              matrix['include'].push({
+                "category": "/language:actions",
+                "language": "actions",
+                "name": "actions",
+                "os": "ubuntu-latest"
+              });
+            }
+
            for (let [key, value] of Object.entries(response.data)) {
              // remap language
              if (remap_languages[key.toLowerCase()]) {
@@ -78,11 +101,18 @@ jobs:
                  // set name for matrix
                  let name = osList.length === 1 ? normalizedKey : `${normalizedKey}, ${os}`

+                  // set category for matrix
+                  let category = `/language:${normalizedKey}`
+                  if (normalizedKey === 'cpp') {
+                    category = `/language:cpp-${os.split('-')[0]}`
+                  }
+
                  // add to matrix
                  matrix['include'].push({
+                    "category": category,
                    "language": normalizedKey,
-                    "os": os,
-                    "name": name
+                    "name": name,
+                    "os": os
                  })
                }
              }
@@ -94,8 +124,8 @@ jobs:
            return matrix

      - name: Continue
-        uses: actions/github-script@v7
        id: continue
+        uses: actions/github-script@v7
        with:
          script: |
            // if matrix['include'] is an empty list return false, otherwise true
@@ -109,24 +139,22 @@ jobs:

  analyze:
    name: Analyze (${{ matrix.name }})
-    if: ${{ needs.languages.outputs.continue == 'true' }}
+    if: needs.languages.outputs.continue == 'true'
    defaults:
      run:
        shell: ${{ matrix.os == 'windows-latest' && 'msys2 {0}' || 'bash' }}
    env:
      GITHUB_CODEQL_BUILD: true
-    needs: [languages]
-    runs-on: ${{ matrix.os || 'ubuntu-latest' }}
-    timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }}
+    needs: languages
    permissions:
      actions: read
      contents: read
      security-events: write
-
+    runs-on: ${{ matrix.os || 'ubuntu-latest' }}
    strategy:
      fail-fast: false
      matrix: ${{ fromJson(needs.languages.outputs.matrix) }}
-
+    timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }}
    steps:
      - name: Maximize build space
        if: >-
@@ -174,8 +202,7 @@ jobs:
              - third-party

      # Pre autobuild
-      # create a file named .codeql-prebuild-${{ matrix.language }}.sh in the root of your repository
-      # create a file named .codeql-build-${{ matrix.language }}.sh in the root of your repository
+      # create a file named .codeql-prebuild-${{ matrix.language }}-${{ runner.os }}.sh in the root of your repository
      - name: Prebuild
        id: prebuild
        run: |
@@ -194,7 +221,7 @@ jobs:
      - name: Perform CodeQL Analysis
        uses: github/codeql-action/analyze@v3
        with:
-          category: "/language:${{matrix.language}}"
+          category: "${{ matrix.category }}"
          output: sarif-results
          upload: failure-only

@@ -211,6 +238,7 @@ jobs:
      - name: Upload SARIF
        uses: github/codeql-action/upload-sarif@v3
        with:
+          category: "${{ matrix.category }}"
          sarif_file: sarif-results/${{ matrix.language }}.sarif

      - name: Upload loc as a Build Artifact
@@ -218,4 +246,5 @@ jobs:
        with:
          name: sarif-results-${{ matrix.language }}-${{ runner.os }}
          path: sarif-results
+          if-no-files-found: error
          retention-days: 1