Security and Code-Quality scan with CodeQL - Quickstart Sample #132
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: "Security and Code-Quality scan with CodeQL - Quickstart Sample" | |
| on: | |
| push: | |
| branches: [ "main" ] | |
| pull_request: | |
| branches: [ "main" ] | |
| schedule: | |
| - cron: '28 6 * * 1' | |
| # Allows you to run this workflow manually from the Actions tab | |
| workflow_dispatch: | |
| jobs: | |
| analyze: | |
| name: CodeQL Scan (${{ matrix.language }}) | |
| # Runner size impacts CodeQL analysis time. To learn more, please see: | |
| # - https://gh.io/recommended-hardware-resources-for-running-codeql | |
| # - https://gh.io/supported-runners-and-hardware-resources | |
| # - https://gh.io/using-larger-runners (GitHub.com only) | |
| # Consider using larger runners or machines with greater resources for possible analysis time improvements. | |
| #runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} | |
| #runs-on: [ self-hosted, macos ] | |
| runs-on: [ 'macos-14' ] | |
| #timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }} | |
| timeout-minutes: 120 | |
| permissions: | |
| # required for all workflows | |
| security-events: write | |
| # required to fetch internal or private CodeQL packs | |
| packages: read | |
| # only required for workflows in private repositories | |
| actions: read | |
| contents: read | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| # https://github.com/swiftlang/swift/releases | |
| swift: [ "5.10.1" ] | |
| # https://developer.apple.com/documentation/xcode-release-notes | |
| xcode: [ "15.4" ] | |
| language: [ swift ] | |
| build-mode: [ manual ] | |
| destination: | |
| - "platform=iOS Simulator,OS=18.1,name=iPhone 15" | |
| # To learn more about changing the languages that are analyzed or customizing the build mode for your analysis, | |
| # see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning. | |
| # If you are analyzing a compiled language, you can modify the 'build-mode' for that language to customize how | |
| # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages | |
| steps: | |
| # Initialize the latest version of Xcode. | |
| - name: Initialize latest xcode | |
| uses: maxim-lobanov/[email protected] | |
| with: | |
| xcode-version: ${{ matrix.xcode }} | |
| # Remove any other Xcode version. | |
| - name: Remove old xcode versions | |
| run: | | |
| echo "Searching for Xcode versions:" | |
| find /Applications -name "Xcode_*" -maxdepth 1 -mindepth 1 | |
| echo "Removing old Xcode versions..." | |
| find /Applications -name "Xcode_*" -maxdepth 1 -mindepth 1 | grep -v ${{ matrix.xcode }} | xargs rm -rf | |
| echo "Available Xcode versions after removal:" | |
| find /Applications -name "Xcode_*" -maxdepth 1 -mindepth 1 | |
| # Initialize Swift in the matrix specified version. | |
| - name: Initialize Swift | |
| uses: swift-actions/[email protected] | |
| with: | |
| swift-version: ${{ matrix.swift }} | |
| # Get the Swift version. | |
| - name: Get swift version | |
| run: swift --version | |
| # Checkout the repository. | |
| - name: Checkout repository | |
| uses: actions/[email protected] | |
| # Initialize CodeQL. | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/[email protected] | |
| with: | |
| languages: ${{ matrix.language }} | |
| build-mode: ${{ matrix.build-mode }} | |
| # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs | |
| # queries: security-extended,security-and-quality | |
| queries: security-and-quality | |
| config-file: .github/codeql/codeql-samples-config.yml | |
| # ℹ️ Command-line programs to run using the OS shell. | |
| # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun | |
| # Autobuild attempts to build any compiled languages (C/C++, C#, Go, Java, or Swift). | |
| # If this step fails, then you should remove it and run the build manually (see below) | |
| #- name: Autobuild | |
| # uses: github/codeql-action/[email protected] | |
| # Check Disk Space before the build. | |
| - name: Check Disk Space | |
| run: | | |
| sleep 10 | |
| df -h | |
| # Perform the build manually. | |
| - name: Manual Build | |
| run: set -o pipefail && xcodebuild -workspace FusionAuthSDK.xcworkspace/ -scheme fusionauth-quickstart-swift-ios-native -destination "${{matrix.destination}}" -skipPackagePluginValidation | |
| # Perform CodeQL Analysis if the build succeeded or failed. | |
| - name: Perform CodeQL Analysis | |
| uses: github/codeql-action/[email protected] | |
| if: success() || failure() | |
| with: | |
| category: "/language:${{matrix.language}}" |