CodeQL #96
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This code is to check Code with CodeQL | |
| name: CodeQL | |
| on: | |
| push: | |
| branches: [ "main" ] | |
| pull_request: | |
| branches: [ "main" ] | |
| schedule: | |
| # Weekly deep scan (new rules, deeper dataflow) | |
| - cron: "17 3 * * 1" | |
| # Prevent overlapping scans | |
| concurrency: | |
| group: codeql-${{ github.ref }} | |
| cancel-in-progress: true | |
| permissions: | |
| contents: read | |
| jobs: | |
| analyze: | |
| name: CodeQL (${{ matrix.os }}) | |
| runs-on: ${{ matrix.os }} | |
| timeout-minutes: 45 | |
| permissions: | |
| contents: read | |
| security-events: write | |
| actions: read | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| os: | |
| - ubuntu-latest | |
| - macos-latest | |
| steps: | |
| # --------------------------------------------------------- | |
| # Checkout | |
| # --------------------------------------------------------- | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 2 | |
| persist-credentials: false | |
| # --------------------------------------------------------- | |
| # Initialize CodeQL (CORRECT SUITE USAGE) | |
| # --------------------------------------------------------- | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/init@v4 | |
| with: | |
| languages: cpp | |
| # ✔ VALID built-in suites (this fixes your error) | |
| # You may list one or both | |
| queries: security-extended | |
| # Extra hardening | |
| config: | | |
| name: "Splice Hardened CodeQL" | |
| paths-ignore: | |
| - "**/docs/**" | |
| - "**/examples/**" | |
| - "**/tests/**" | |
| - "**/third_party/**" | |
| - "**/vendor/**" | |
| - "**/build/**" | |
| - "**/bin/**" | |
| # --------------------------------------------------------- | |
| # Build (MANDATORY for C/C++) | |
| # CodeQL must observe a real compile | |
| # --------------------------------------------------------- | |
| - name: Build Splice | |
| shell: bash | |
| run: | | |
| set -euo pipefail | |
| echo "OS: $RUNNER_OS" | |
| if [[ "$RUNNER_OS" == "Windows" ]]; then | |
| # Prefer MSYS2 / MinGW style builds if present | |
| if [[ -f build.sh ]]; then | |
| bash build.sh --force | |
| elif [[ -f Makefile ]]; then | |
| make | |
| else | |
| echo "No Windows build method found" | |
| exit 1 | |
| fi | |
| else | |
| if [[ -x ./build.sh ]]; then | |
| ./build.sh --force | |
| elif [[ -f Makefile ]]; then | |
| make -j2 | |
| else | |
| echo "No build.sh or Makefile found" | |
| exit 1 | |
| fi | |
| fi | |
| # --------------------------------------------------------- | |
| # Analyze | |
| # --------------------------------------------------------- | |
| - name: Perform CodeQL Analysis | |
| uses: github/codeql-action/analyze@v4 | |
| with: | |
| category: "/language:cpp" |