From b3a3a256da34120d8421da1d4cc01799656b0cd1 Mon Sep 17 00:00:00 2001 From: Frantisek Sumsal Date: Wed, 31 Jan 2024 20:02:24 +0100 Subject: [PATCH] ci: introduce CodeQL Analyze the polkit code using CodeQL [0], to discover potential vulnerabilities before they reach the main branch. [0] https://codeql.github.com/docs/ --- .github/workflows/codeql.yml | 52 ++++++++++++++++++++++++++++++++++++ 1 file changed, 52 insertions(+) create mode 100644 .github/workflows/codeql.yml diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 00000000..920365a3 --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,52 @@ +--- +# vi: ts=2 sw=2 et: +name: "CodeQL" + +on: + push: + branches: + - main + pull_request: + branches: + - main + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + permissions: + security-events: write + concurrency: + group: ${{ github.workflow }}-${{ matrix.ref }}-${{ matrix.language }} + cancel-in-progress: true + strategy: + fail-fast: false + matrix: + language: ['c-cpp', 'javascript-typescript', 'python'] + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: ${{ matrix.language }} + queries: +security-extended,security-and-quality + + - name: Install dependencies + if: ${{ matrix.language == 'c-cpp' }} + run: | + sudo add-apt-repository -y --no-update --enable-source + sudo apt update + sudo apt build-dep -y policykit-1 + # polkit in Ubuntu Jammy (ATTOW) doesn't have the latest build dependencies yet + sudo apt install -y duktape-dev meson + + - name: Autobuild + uses: github/codeql-action/autobuild@v3 + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v3 + with: + category: "/language:${{matrix.language}}"