-
-
Notifications
You must be signed in to change notification settings - Fork 0
96 lines (89 loc) · 3.19 KB
/
codeql-reusable.yml
File metadata and controls
96 lines (89 loc) · 3.19 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
# SPDX-License-Identifier: MPL-2.0
# codeql-reusable.yml — Reusable CodeQL security-analysis workflow.
#
# Consolidates the per-repo `codeql.yml` workflow (estate-wide: 263
# deployments, 69 unique blob SHAs, 26% structural drift). Language
# matrix distribution across the estate:
#
# javascript-typescript 223 (84.8%)
# actions 22 (8.4%)
# NONE (no matrix declared) 6 (2.3%)
# rust 3 (1.1%)
# javascript-typescript,rust 3 (1.1%)
# actions,javascript-typescript 3 (1.1%)
# actions,javascript-typescript,rust 2 (0.8%)
# actions,rust 1 (0.4%)
#
# 100% of estate variants currently use `build-mode: none`.
#
# Design: single-language single-job reusable. Multi-language wrappers
# invoke the reusable once per language (parallel-by-construction).
# This avoids the matrix-as-input awkwardness while preserving per-
# language SARIF separation via the `category` step.
#
# Caller examples:
#
# # Single-language (~85% of estate):
# jobs:
# codeql:
# uses: hyperpolymath/standards/.github/workflows/codeql-reusable.yml@<sha>
# # defaults to language=javascript-typescript, build-mode=none
#
# # Rust-only:
# jobs:
# codeql:
# uses: hyperpolymath/standards/.github/workflows/codeql-reusable.yml@<sha>
# with:
# language: rust
#
# # Multi-language (JS/TS + actions + Rust):
# jobs:
# codeql-js:
# uses: hyperpolymath/standards/.github/workflows/codeql-reusable.yml@<sha>
# codeql-actions:
# uses: hyperpolymath/standards/.github/workflows/codeql-reusable.yml@<sha>
# with:
# language: actions
# codeql-rust:
# uses: hyperpolymath/standards/.github/workflows/codeql-reusable.yml@<sha>
# with:
# language: rust
name: CodeQL Security Analysis (reusable)
on:
workflow_call:
inputs:
language:
description: 'CodeQL language identifier (e.g. javascript-typescript, rust, actions). Single language per call; multi-language wrappers invoke the reusable once per language.'
type: string
required: false
default: javascript-typescript
build-mode:
description: 'CodeQL build mode (none|autobuild|manual). 100% of estate currently uses "none"; override only for compiled languages that require explicit build.'
type: string
required: false
default: none
runs-on:
description: 'Runner label for the analyze job'
type: string
required: false
default: ubuntu-latest
permissions:
contents: read
jobs:
analyze:
runs-on: ${{ inputs.runs-on }}
permissions:
contents: read
security-events: write
steps:
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Initialize CodeQL
uses: github/codeql-action/init@c6f931105cb2c34c8f901cc885ba1e2e259cf745 # v3
with:
languages: ${{ inputs.language }}
build-mode: ${{ inputs.build-mode }}
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@c6f931105cb2c34c8f901cc885ba1e2e259cf745 # v3
with:
category: "/language:${{ inputs.language }}"