name: CodeQL on: # push: # branches: # - master # pull_request: # # The branches below must be a subset of the branches above # branches: # - master workflow_dispatch: inputs: ref: description: 'Ref to build (for Pull Requests, use refs/pull/NNN/head)' required: true concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: ${{ github.ref != 'refs/heads/master' }} jobs: analyze: name: Analyze runs-on: ubuntu-latest permissions: actions: read contents: read security-events: write steps: - name: Checkout if: github.event_name != 'workflow_dispatch' uses: actions/checkout@v4 - name: Checkout (Manual) if: github.event_name == 'workflow_dispatch' uses: actions/checkout@v4 with: ref: ${{ github.event.inputs.ref }} - name: Install dependencies run: | echo "::group::Update apt" sudo apt-get update echo "::endgroup::" echo "::group::Install dependencies" sudo apt-get install -y --no-install-recommends \ liballegro4-dev \ libcurl4-openssl-dev \ libfontconfig-dev \ libharfbuzz-dev \ libicu-dev \ liblzma-dev \ liblzo2-dev \ libsdl2-dev \ zlib1g-dev \ # EOF echo "::endgroup::" env: DEBIAN_FRONTEND: noninteractive - name: Set number of make jobs run: | echo "MAKEFLAGS=-j$(nproc)" >> $GITHUB_ENV - name: Initialize CodeQL uses: github/codeql-action/init@v3 with: languages: cpp config-file: ./.github/codeql/codeql-config.yml - name: Autobuild uses: github/codeql-action/autobuild@v3 - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v3 with: category: /language:cpp upload: False output: sarif-results - name: Filter out table & generated code uses: advanced-security/filter-sarif@v1 with: patterns: | +**/*.* -**/table/*.* -**/generated/**/*.* -**/tests/*.* input: sarif-results/cpp.sarif output: sarif-results/cpp.sarif - name: Upload results uses: github/codeql-action/upload-sarif@v3 with: sarif_file: sarif-results/cpp.sarif