-
Notifications
You must be signed in to change notification settings - Fork 129
391 lines (325 loc) · 14.2 KB
/
codeql.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
# This workflow runs CodeQL against the repository.
#
# Results are uploaded to GitHub Code Scanning.
#
# Note: Important: This file currently only works with "CI" builds. "Platform" builds can
# be supported without much effort but that will be done in the future.
#
# Note: This workflow only supports Windows as CodeQL CLI has confirmed issues running
# against edk2-style codebases on Linux (only tested on Ubuntu). Therefore, this
# workflow is written only for Windows but could easily be adapted to run on Linux
# in the future if needed (e.g. swap out "windows" with agent OS var value, etc.)
#
# NOTE: This file is automatically synchronized from Mu DevOps. Update the original file there
# instead of the file in this repo.
#
# - Mu DevOps Repo: https://github.com/microsoft/mu_devops
# - File Sync Settings: https://github.com/microsoft/mu_devops/blob/main/.sync/Files.yml
#
# Copyright (c) Microsoft Corporation.
# SPDX-License-Identifier: BSD-2-Clause-Patent
name: "CodeQL"
on:
push:
branches:
- main
- release/*
pull_request:
branches:
- main
- release/*
paths-ignore:
- '!**.c'
- '!**.h'
jobs:
gather_packages:
name: Gather Repo Packages
runs-on: ubuntu-latest
outputs:
packages: ${{ steps.generate_matrix.outputs.packages }}
steps:
- name: Checkout repository
uses: actions/checkout@v3
- name: Install Python
uses: actions/setup-python@v4
with:
python-version: '>=3.11'
- name: Generate Package Matrix
id: generate_matrix
shell: python
run: |
import os
import json
packages = [d for d in os.listdir() if d.strip().lower().endswith('pkg')]
# Ensure the package can actually be built
for package in packages:
if not any(file.endswith('.dsc') for file in os.listdir(package)):
packages.remove(package)
packages.sort()
with open(os.environ['GITHUB_OUTPUT'], 'a') as fh:
print(f'packages={json.dumps(packages)}', file=fh)
analyze:
name: Analyze
runs-on: windows-2022
needs:
- gather_packages
permissions:
actions: read
contents: read
security-events: write
strategy:
fail-fast: false
matrix:
package: ${{ fromJson(needs.gather_packages.outputs.packages) }}
include:
- archs: IA32,X64
- tool_chain_tag: VS2022
steps:
- name: Checkout repository
uses: actions/checkout@v3
- name: Install Python
uses: actions/setup-python@v4
with:
python-version: '>=3.11'
cache: 'pip'
cache-dependency-path: 'pip-requirements.txt'
- name: Use Git Long Paths on Windows
if: runner.os == 'Windows'
shell: pwsh
run: |
git config --system core.longpaths true
- name: Install/Upgrade pip Modules
run: pip install -r pip-requirements.txt --upgrade requests
- name: Determine CI Settings File Supported Operations
id: get_ci_file_operations
shell: python
run: |
import importlib
import os
import sys
from pathlib import Path
from edk2toolext.invocables.edk2_ci_setup import CiSetupSettingsManager
from edk2toolext.invocables.edk2_setup import SetupSettingsManager
# Find the CI Settings file (usually in .pytool/CISettings.py)
ci_settings_file = list(Path(os.environ['GITHUB_WORKSPACE']).rglob('.pytool/CISettings.py'))
# Note: At this point, submodules have not been pulled, only one CI Settings file should exist
if len(ci_settings_file) != 1 or not ci_settings_file[0].is_file():
print("::error title=Workspace Error!::Failed to find CI Settings file!")
sys.exit(1)
ci_settings_file = ci_settings_file[0]
# Try Finding the Settings class in the file
module_name = 'ci_settings'
spec = importlib.util.spec_from_file_location(module_name, ci_settings_file)
module = importlib.util.module_from_spec(spec)
spec.loader.exec_module(module)
try:
settings = getattr(module, 'Settings')
except AttributeError:
print("::error title=Workspace Error!::Failed to find Settings class in CI Settings file!")
sys.exit(1)
# Determine Which Operations Are Supported by the Settings Class
ci_setup_supported = issubclass(settings, CiSetupSettingsManager)
setup_supported = issubclass(settings, SetupSettingsManager)
with open(os.environ['GITHUB_OUTPUT'], 'a') as fh:
print(f'ci_setup_supported={str(ci_setup_supported).lower()}', file=fh)
print(f'setup_supported={str(setup_supported).lower()}', file=fh)
- name: Get Cargo Tool Details
id: get_cargo_tool_details
shell: python
run: |
import os
import requests
GITHUB_REPO = "sagiegurari/cargo-make"
API_URL = f"https://api.github.com/repos/{GITHUB_REPO}/releases/latest"
# Default value in case getting latest fails, cache will fall
# back on this version.
latest_cargo_make_version = "0.36.13"
response = requests.get(API_URL)
if response.status_code == 200:
latest_cargo_make_version = response.json()["tag_name"]
else:
print("::error title=GitHub Release Error!::Failed to get latest cargo-make version!")
cache_key = f'cargo-make-{latest_cargo_make_version}'
with open(os.environ['GITHUB_OUTPUT'], 'a') as fh:
print(f'cargo_bin_path={os.path.join(os.environ["USERPROFILE"], ".cargo", "bin")}', file=fh)
print(f'cargo_make_cache_key={cache_key}', file=fh)
print(f'cargo_make_version={latest_cargo_make_version}', file=fh)
- name: Attempt to Load cargo-make From Cache
id: cargo_make_cache
uses: actions/cache@v3
with:
path: ${{ steps.get_cargo_tool_details.outputs.cargo_bin_path }}
key: ${{ steps.get_cargo_tool_details.outputs.cargo_make_cache_key }}
- name: Download cargo-make
if: steps.cargo_make_cache.outputs.cache-hit != 'true'
uses: robinraju/[email protected]
with:
repository: 'sagiegurari/cargo-make'
tag: '${{ steps.get_cargo_tool_details.outputs.cargo_make_version }}'
fileName: 'cargo-make-v${{ steps.get_cargo_tool_details.outputs.cargo_make_version }}-x86_64-pc-windows-msvc.zip'
out-file-path: 'cargo-make-download'
token: ${{ secrets.GITHUB_TOKEN }}
- name: Extract cargo-make
if: steps.cargo_make_cache.outputs.cache-hit != 'true'
env:
CARGO_MAKE_VERSION: ${{ steps.get_cargo_tool_details.outputs.cargo_make_version }}
DEST_DIR: ${{steps.get_cargo_tool_details.outputs.cargo_bin_path }}
shell: python
run: |
import os
import shutil
import zipfile
from pathlib import Path
DOWNLOAD_DIR = Path(os.environ["GITHUB_WORKSPACE"], "cargo-make-download")
ZIP_FILE_NAME = f"cargo-make-v{os.environ['CARGO_MAKE_VERSION']}-x86_64-pc-windows-msvc.zip"
ZIP_FILE_PATH = Path(DOWNLOAD_DIR, ZIP_FILE_NAME)
EXTRACT_DIR = Path(DOWNLOAD_DIR, "cargo-make-contents")
with zipfile.ZipFile(ZIP_FILE_PATH, 'r') as zip_ref:
zip_ref.extractall(EXTRACT_DIR)
for extracted_file in EXTRACT_DIR.iterdir():
if extracted_file.name == "cargo-make.exe":
shutil.copy2(extracted_file, os.environ["DEST_DIR"])
break
- name: Rust Prep
run: rustup component add rust-src
- name: Setup
if: steps.get_ci_file_operations.outputs.setup_supported == 'true'
run: stuart_setup -c .pytool/CISettings.py -t DEBUG -a ${{ matrix.archs }} TOOL_CHAIN_TAG=${{ matrix.tool_chain_tag }}
- name: Upload Setup Log As An Artifact
uses: actions/upload-artifact@v3
if: (success() || failure()) && steps.get_ci_file_operations.outputs.setup_supported == 'true'
with:
name: ${{ matrix.package }}-Logs
path: |
**/SETUPLOG.txt
retention-days: 7
if-no-files-found: ignore
- name: CI Setup
if: steps.get_ci_file_operations.outputs.ci_setup_supported == 'true'
run: stuart_ci_setup -c .pytool/CISettings.py -t DEBUG -a ${{ matrix.archs }} TOOL_CHAIN_TAG=${{ matrix.tool_chain_tag }}
- name: Upload CI Setup Log As An Artifact
uses: actions/upload-artifact@v3
if: (success() || failure()) && steps.get_ci_file_operations.outputs.ci_setup_supported == 'true'
with:
name: ${{ matrix.package }}-Logs
path: |
**/CISETUP.txt
retention-days: 7
if-no-files-found: ignore
- name: Update
run: stuart_update -c .pytool/CISettings.py -t DEBUG -a ${{ matrix.archs }} TOOL_CHAIN_TAG=${{ matrix.tool_chain_tag }}
- name: Upload Update Log As An Artifact
uses: actions/upload-artifact@v3
if: success() || failure()
with:
name: ${{ matrix.package }}-Logs
path: |
**/UPDATE_LOG.txt
retention-days: 7
if-no-files-found: ignore
- name: Find CodeQL Plugin Directory
id: find_dir
shell: python
run: |
import os
import sys
from pathlib import Path
# Find the plugin directory that contains the CodeQL plugin
plugin_dir = list(Path(os.environ['GITHUB_WORKSPACE']).rglob('.pytool/Plugin/CodeQL'))
# This should only be found once
if len(plugin_dir) == 1:
plugin_dir = str(plugin_dir[0])
with open(os.environ['GITHUB_OUTPUT'], 'a') as fh:
print(f'codeql_plugin_dir={plugin_dir}', file=fh)
else:
print("::error title=Workspace Error!::Failed to find Mu Basecore plugin directory!")
sys.exit(1)
- name: Get CodeQL CLI Cache Data
id: cache_key_gen
env:
CODEQL_PLUGIN_DIR: ${{ steps.find_dir.outputs.codeql_plugin_dir }}
shell: python
run: |
import os
import yaml
codeql_cli_ext_dep_name = 'codeqlcli_windows_ext_dep'
codeql_plugin_file = os.path.join(os.environ['CODEQL_PLUGIN_DIR'], codeql_cli_ext_dep_name + '.yaml')
with open (codeql_plugin_file) as pf:
codeql_cli_ext_dep = yaml.safe_load(pf)
cache_key_name = codeql_cli_ext_dep['name']
cache_key_version = codeql_cli_ext_dep['version']
cache_key = f'{cache_key_name}-{cache_key_version}'
codeql_plugin_cli_ext_dep_dir = os.path.join(os.environ['CODEQL_PLUGIN_DIR'], codeql_cli_ext_dep['name'].strip() + '_extdep')
with open(os.environ['GITHUB_OUTPUT'], 'a') as fh:
print(f'codeql_cli_cache_key={cache_key}', file=fh)
print(f'codeql_cli_ext_dep_dir={codeql_plugin_cli_ext_dep_dir}', file=fh)
- name: Attempt to Load CodeQL CLI From Cache
id: codeqlcli_cache
uses: actions/cache@v3
with:
path: ${{ steps.cache_key_gen.outputs.codeql_cli_ext_dep_dir }}
key: ${{ steps.cache_key_gen.outputs.codeql_cli_cache_key }}
- name: Download CodeQL CLI
if: steps.codeqlcli_cache.outputs.cache-hit != 'true'
run: stuart_update -c .pytool/CISettings.py -t DEBUG -a ${{ matrix.archs }} TOOL_CHAIN_TAG=${{ matrix.tool_chain_tag }} --codeql
- name: Remove CI Plugins Irrelevant to CodeQL
shell: python
env:
CODEQL_PLUGIN_DIR: ${{ steps.find_dir.outputs.codeql_plugin_dir }}
run: |
import os
import shutil
from pathlib import Path
# Only these two plugins are needed for CodeQL
plugins_to_keep = ['CodeQL', 'CompilerPlugin']
plugin_dir = Path(os.environ['CODEQL_PLUGIN_DIR']).parent.absolute()
if plugin_dir.is_dir():
for dir in plugin_dir.iterdir():
if str(dir.stem) not in plugins_to_keep:
shutil.rmtree(str(dir.absolute()), ignore_errors=True)
- name: CI Build
env:
STUART_CODEQL_PATH: ${{ steps.cache_key_gen.outputs.codeql_cli_ext_dep_dir }}
run: stuart_ci_build -c .pytool/CISettings.py -t DEBUG -p ${{ matrix.package }} -a ${{ matrix.archs }} TOOL_CHAIN_TAG=${{ matrix.tool_chain_tag }} --codeql
- name: Upload Build Logs As An Artifact
uses: actions/upload-artifact@v3
if: success() || failure()
with:
name: ${{ matrix.package }}-Logs
path: |
**/BUILD_REPORT.TXT
**/OVERRIDELOG.TXT
**/BUILDLOG_*.md
**/BUILDLOG_*.txt
**/CI_*.md
**/CI_*.txt
retention-days: 7
if-no-files-found: ignore
- name: Prepare Env Data for CodeQL Upload
id: env_data
env:
PACKAGE_NAME: ${{ matrix.package }}
shell: python
run: |
import os
package = os.environ['PACKAGE_NAME'].strip().lower()
directory_name = 'codeql-analysis-' + package + '-debug'
file_name = 'codeql-db-' + package + '-debug-0.sarif'
sarif_path = os.path.join('Build', directory_name, file_name)
with open(os.environ['GITHUB_OUTPUT'], 'a') as fh:
print(f'sarif_file_path={sarif_path}', file=fh)
- name: Upload CodeQL Results (SARIF) As An Artifact
uses: actions/upload-artifact@v3
with:
name: ${{ matrix.package }}-CodeQL-SARIF
path: ${{ steps.env_data.outputs.sarif_file_path }}
retention-days: 14
if-no-files-found: warn
- name: Upload CodeQL Results (SARIF) To GitHub Code Scanning
uses: github/codeql-action/upload-sarif@v2
with:
# Path to SARIF file relative to the root of the repository.
sarif_file: ${{ steps.env_data.outputs.sarif_file_path }}
# Optional category for the results. Used to differentiate multiple results for one commit.
# Each package is a separate category.
category: ${{ matrix.package }}