2021-10-14 14:32:50 +03:00
|
|
|
name: "Ruby: Build"
|
2020-10-27 16:25:22 +03:00
|
|
|
|
|
|
|
|
on:
|
|
|
|
|
push:
|
2022-11-21 19:52:06 +03:00
|
|
|
paths:
|
|
|
|
|
- "ruby/**"
|
|
|
|
|
- .github/workflows/ruby-build.yml
|
|
|
|
|
- .github/actions/fetch-codeql/action.yml
|
|
|
|
|
- codeql-workspace.yml
|
2021-10-14 14:32:50 +03:00
|
|
|
branches:
|
|
|
|
|
- main
|
2021-11-03 13:52:29 +03:00
|
|
|
- "rc/*"
|
2020-10-27 16:25:22 +03:00
|
|
|
pull_request:
|
2021-10-14 14:32:50 +03:00
|
|
|
paths:
|
2021-11-03 13:52:29 +03:00
|
|
|
- "ruby/**"
|
|
|
|
|
- .github/workflows/ruby-build.yml
|
2022-08-02 17:33:21 +03:00
|
|
|
- .github/actions/fetch-codeql/action.yml
|
2022-05-27 19:46:54 +03:00
|
|
|
- codeql-workspace.yml
|
2021-10-14 14:32:50 +03:00
|
|
|
branches:
|
|
|
|
|
- main
|
2021-11-03 13:52:29 +03:00
|
|
|
- "rc/*"
|
2021-05-26 16:29:37 +03:00
|
|
|
workflow_dispatch:
|
|
|
|
|
inputs:
|
|
|
|
|
tag:
|
|
|
|
|
description: "Version tag to create"
|
|
|
|
|
required: false
|
2020-10-27 16:25:22 +03:00
|
|
|
|
|
|
|
|
env:
|
|
|
|
|
CARGO_TERM_COLOR: always
|
|
|
|
|
|
2021-10-14 14:32:50 +03:00
|
|
|
defaults:
|
|
|
|
|
run:
|
|
|
|
|
working-directory: ruby
|
|
|
|
|
|
2020-10-27 16:25:22 +03:00
|
|
|
jobs:
|
|
|
|
|
build:
|
|
|
|
|
strategy:
|
|
|
|
|
fail-fast: false
|
2020-10-27 17:50:30 +03:00
|
|
|
matrix:
|
|
|
|
|
os: [ubuntu-latest, macos-latest, windows-latest]
|
2020-10-27 16:25:22 +03:00
|
|
|
|
|
|
|
|
runs-on: ${{ matrix.os }}
|
|
|
|
|
|
|
|
|
|
steps:
|
2022-04-27 17:13:33 +03:00
|
|
|
- uses: actions/checkout@v3
|
2020-12-03 18:40:37 +03:00
|
|
|
- name: Install GNU tar
|
|
|
|
|
if: runner.os == 'macOS'
|
|
|
|
|
run: |
|
|
|
|
|
brew install gnu-tar
|
|
|
|
|
echo "/usr/local/opt/gnu-tar/libexec/gnubin" >> $GITHUB_PATH
|
2023-03-16 02:04:33 +03:00
|
|
|
- name: Install cargo-cross
|
|
|
|
|
if: runner.os == 'Linux'
|
2023-03-23 02:20:12 +03:00
|
|
|
run: cargo install cross --version 0.2.5
|
2023-01-12 15:25:37 +03:00
|
|
|
- uses: ./.github/actions/os-version
|
|
|
|
|
id: os_version
|
2022-11-24 12:29:20 +03:00
|
|
|
- name: Cache entire extractor
|
|
|
|
|
uses: actions/cache@v3
|
|
|
|
|
id: cache-extractor
|
|
|
|
|
with:
|
|
|
|
|
path: |
|
2023-04-07 06:47:22 +03:00
|
|
|
ruby/extractor/target/release/codeql-ruby-extractor
|
|
|
|
|
ruby/extractor/target/release/codeql-ruby-extractor.exe
|
2023-03-14 02:10:56 +03:00
|
|
|
ruby/extractor/ql/lib/codeql/ruby/ast/internal/TreeSitter.qll
|
|
|
|
|
key: ${{ runner.os }}-${{ steps.os_version.outputs.version }}-ruby-extractor-${{ hashFiles('ruby/extractor/rust-toolchain.toml', 'ruby/extractor/Cargo.lock') }}--${{ hashFiles('ruby/extractor/**/*.rs') }}
|
2022-04-27 16:17:37 +03:00
|
|
|
- uses: actions/cache@v3
|
2022-11-24 12:29:20 +03:00
|
|
|
if: steps.cache-extractor.outputs.cache-hit != 'true'
|
2020-10-27 21:11:05 +03:00
|
|
|
with:
|
|
|
|
|
path: |
|
|
|
|
|
~/.cargo/registry
|
|
|
|
|
~/.cargo/git
|
2021-10-14 14:32:50 +03:00
|
|
|
ruby/target
|
2023-03-14 02:10:56 +03:00
|
|
|
key: ${{ runner.os }}-${{ steps.os_version.outputs.version }}-ruby-rust-cargo-${{ hashFiles('ruby/extractor/rust-toolchain.toml', 'ruby/extractor/**/Cargo.lock') }}
|
2020-11-09 15:52:12 +03:00
|
|
|
- name: Check formatting
|
2022-11-24 12:29:20 +03:00
|
|
|
if: steps.cache-extractor.outputs.cache-hit != 'true'
|
2023-03-14 02:17:04 +03:00
|
|
|
run: cd extractor && cargo fmt --all -- --check
|
2020-10-27 17:50:30 +03:00
|
|
|
- name: Build
|
2022-11-24 12:29:20 +03:00
|
|
|
if: steps.cache-extractor.outputs.cache-hit != 'true'
|
2023-03-14 02:40:37 +03:00
|
|
|
run: cd extractor && cargo build --verbose
|
2020-10-27 19:48:11 +03:00
|
|
|
- name: Run tests
|
2022-11-24 12:29:20 +03:00
|
|
|
if: steps.cache-extractor.outputs.cache-hit != 'true'
|
2023-03-14 02:40:37 +03:00
|
|
|
run: cd extractor && cargo test --verbose
|
2023-03-16 02:11:12 +03:00
|
|
|
# On linux, build the extractor via cross in a centos7 container.
|
|
|
|
|
# This ensures we don't depend on glibc > 2.17.
|
|
|
|
|
- name: Release build (linux)
|
|
|
|
|
if: steps.cache-extractor.outputs.cache-hit != 'true' && runner.os == 'Linux'
|
2023-03-23 03:05:08 +03:00
|
|
|
run: |
|
|
|
|
|
cd extractor
|
|
|
|
|
cross build --release
|
2023-04-07 06:47:22 +03:00
|
|
|
mv target/x86_64-unknown-linux-gnu/release/codeql-ruby-extractor target/release/
|
2023-03-16 02:11:12 +03:00
|
|
|
- name: Release build (windows and macos)
|
|
|
|
|
if: steps.cache-extractor.outputs.cache-hit != 'true' && runner.os != 'Linux'
|
|
|
|
|
run: cd extractor && cargo build --release
|
2020-10-27 17:50:30 +03:00
|
|
|
- name: Generate dbscheme
|
2022-11-24 12:29:20 +03:00
|
|
|
if: ${{ matrix.os == 'ubuntu-latest' && steps.cache-extractor.outputs.cache-hit != 'true'}}
|
2023-04-07 06:47:22 +03:00
|
|
|
run: extractor/target/release/codeql-ruby-extractor generate --dbscheme ql/lib/ruby.dbscheme --library ql/lib/codeql/ruby/ast/internal/TreeSitter.qll
|
2022-04-27 16:17:28 +03:00
|
|
|
- uses: actions/upload-artifact@v3
|
2020-10-27 17:50:30 +03:00
|
|
|
if: ${{ matrix.os == 'ubuntu-latest' }}
|
|
|
|
|
with:
|
|
|
|
|
name: ruby.dbscheme
|
2021-10-14 14:32:50 +03:00
|
|
|
path: ruby/ql/lib/ruby.dbscheme
|
2022-04-27 16:17:28 +03:00
|
|
|
- uses: actions/upload-artifact@v3
|
2020-10-28 14:04:09 +03:00
|
|
|
if: ${{ matrix.os == 'ubuntu-latest' }}
|
|
|
|
|
with:
|
2020-12-01 17:28:33 +03:00
|
|
|
name: TreeSitter.qll
|
2021-10-14 14:32:50 +03:00
|
|
|
path: ruby/ql/lib/codeql/ruby/ast/internal/TreeSitter.qll
|
2022-04-27 16:17:28 +03:00
|
|
|
- uses: actions/upload-artifact@v3
|
2020-10-27 17:50:30 +03:00
|
|
|
with:
|
|
|
|
|
name: extractor-${{ matrix.os }}
|
|
|
|
|
path: |
|
2023-04-07 06:47:22 +03:00
|
|
|
ruby/extractor/target/release/codeql-ruby-extractor
|
|
|
|
|
ruby/extractor/target/release/codeql-ruby-extractor.exe
|
2020-10-27 17:50:30 +03:00
|
|
|
retention-days: 1
|
2021-05-24 13:50:14 +03:00
|
|
|
compile-queries:
|
2022-11-21 18:35:11 +03:00
|
|
|
runs-on: ubuntu-latest-xl
|
2021-05-24 13:50:14 +03:00
|
|
|
steps:
|
2022-04-27 17:13:33 +03:00
|
|
|
- uses: actions/checkout@v3
|
2021-05-24 13:50:14 +03:00
|
|
|
- name: Fetch CodeQL
|
2022-08-01 13:38:59 +03:00
|
|
|
uses: ./.github/actions/fetch-codeql
|
2022-11-21 18:25:44 +03:00
|
|
|
- name: Cache compilation cache
|
|
|
|
|
id: query-cache
|
|
|
|
|
uses: ./.github/actions/cache-query-compilation
|
|
|
|
|
with:
|
|
|
|
|
key: ruby-build
|
2021-05-24 13:50:14 +03:00
|
|
|
- name: Build Query Pack
|
|
|
|
|
run: |
|
2023-03-14 22:20:23 +03:00
|
|
|
PACKS=${{ runner.temp }}/query-packs
|
|
|
|
|
rm -rf $PACKS
|
2023-03-14 23:28:53 +03:00
|
|
|
codeql pack create ../misc/suite-helpers --output "$PACKS"
|
|
|
|
|
codeql pack create ../shared/regex --output "$PACKS"
|
|
|
|
|
codeql pack create ../shared/ssa --output "$PACKS"
|
|
|
|
|
codeql pack create ../shared/tutorial --output "$PACKS"
|
|
|
|
|
codeql pack create ql/lib --output "$PACKS"
|
|
|
|
|
codeql pack create -j0 ql/src --output "$PACKS" --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
|
|
|
|
|
PACK_FOLDER=$(readlink -f "$PACKS"/codeql/ruby-queries/*)
|
2022-08-01 13:38:59 +03:00
|
|
|
codeql generate query-help --format=sarifv2.1.0 --output="${PACK_FOLDER}/rules.sarif" ql/src
|
2021-06-24 21:48:14 +03:00
|
|
|
(cd ql/src; find queries \( -name '*.qhelp' -o -name '*.rb' -o -name '*.erb' \) -exec bash -c 'mkdir -p "'"${PACK_FOLDER}"'/$(dirname "{}")"' \; -exec cp "{}" "${PACK_FOLDER}/{}" \;)
|
2022-04-27 16:17:28 +03:00
|
|
|
- uses: actions/upload-artifact@v3
|
2021-05-24 13:50:14 +03:00
|
|
|
with:
|
|
|
|
|
name: codeql-ruby-queries
|
|
|
|
|
path: |
|
2023-03-14 22:20:23 +03:00
|
|
|
${{ runner.temp }}/query-packs/*
|
2021-05-24 13:50:14 +03:00
|
|
|
retention-days: 1
|
|
|
|
|
|
2020-10-27 17:50:30 +03:00
|
|
|
package:
|
|
|
|
|
runs-on: ubuntu-latest
|
2021-06-24 18:52:22 +03:00
|
|
|
needs: [build, compile-queries]
|
2020-10-27 17:50:30 +03:00
|
|
|
steps:
|
2022-04-27 17:13:33 +03:00
|
|
|
- uses: actions/checkout@v3
|
2022-04-28 06:32:59 +03:00
|
|
|
- uses: actions/download-artifact@v3
|
2020-10-27 17:50:30 +03:00
|
|
|
with:
|
|
|
|
|
name: ruby.dbscheme
|
2021-10-14 14:32:50 +03:00
|
|
|
path: ruby/ruby
|
2022-04-28 06:32:59 +03:00
|
|
|
- uses: actions/download-artifact@v3
|
2020-10-27 17:50:30 +03:00
|
|
|
with:
|
|
|
|
|
name: extractor-ubuntu-latest
|
2021-10-14 14:32:50 +03:00
|
|
|
path: ruby/linux64
|
2022-04-28 06:32:59 +03:00
|
|
|
- uses: actions/download-artifact@v3
|
2020-10-27 17:50:30 +03:00
|
|
|
with:
|
|
|
|
|
name: extractor-windows-latest
|
2021-10-14 14:32:50 +03:00
|
|
|
path: ruby/win64
|
2022-04-28 06:32:59 +03:00
|
|
|
- uses: actions/download-artifact@v3
|
2020-10-27 17:50:30 +03:00
|
|
|
with:
|
|
|
|
|
name: extractor-macos-latest
|
2021-10-14 14:32:50 +03:00
|
|
|
path: ruby/osx64
|
2020-10-27 17:50:30 +03:00
|
|
|
- run: |
|
2020-10-27 19:02:36 +03:00
|
|
|
mkdir -p ruby
|
2021-08-11 13:24:31 +03:00
|
|
|
cp -r codeql-extractor.yml tools ql/lib/ruby.dbscheme.stats ruby/
|
2020-10-27 19:02:36 +03:00
|
|
|
mkdir -p ruby/tools/{linux64,osx64,win64}
|
2023-04-07 06:47:22 +03:00
|
|
|
cp linux64/codeql-ruby-extractor ruby/tools/linux64/extractor
|
|
|
|
|
cp osx64/codeql-ruby-extractor ruby/tools/osx64/extractor
|
|
|
|
|
cp win64/codeql-ruby-extractor.exe ruby/tools/win64/extractor.exe
|
|
|
|
|
chmod +x ruby/tools/{linux64,osx64}/extractor
|
2020-10-27 19:02:36 +03:00
|
|
|
zip -rq codeql-ruby.zip ruby
|
2022-04-27 16:17:28 +03:00
|
|
|
- uses: actions/upload-artifact@v3
|
2020-10-27 17:50:30 +03:00
|
|
|
with:
|
2020-10-27 19:02:36 +03:00
|
|
|
name: codeql-ruby-pack
|
2021-10-14 14:32:50 +03:00
|
|
|
path: ruby/codeql-ruby.zip
|
2020-10-27 17:50:30 +03:00
|
|
|
retention-days: 1
|
2022-04-28 06:32:59 +03:00
|
|
|
- uses: actions/download-artifact@v3
|
2021-05-24 13:50:14 +03:00
|
|
|
with:
|
|
|
|
|
name: codeql-ruby-queries
|
2021-10-14 14:32:50 +03:00
|
|
|
path: ruby/qlpacks
|
2021-05-24 13:50:14 +03:00
|
|
|
- run: |
|
|
|
|
|
echo '{
|
|
|
|
|
"provide": [
|
|
|
|
|
"ruby/codeql-extractor.yml",
|
2021-06-24 17:09:45 +03:00
|
|
|
"qlpacks/*/*/*/qlpack.yml"
|
2021-05-24 13:50:14 +03:00
|
|
|
]
|
|
|
|
|
}' > .codeqlmanifest.json
|
|
|
|
|
zip -rq codeql-ruby-bundle.zip .codeqlmanifest.json ruby qlpacks
|
2022-04-27 16:17:28 +03:00
|
|
|
- uses: actions/upload-artifact@v3
|
2021-05-24 13:50:14 +03:00
|
|
|
with:
|
|
|
|
|
name: codeql-ruby-bundle
|
2021-10-14 14:32:50 +03:00
|
|
|
path: ruby/codeql-ruby-bundle.zip
|
2021-05-24 13:50:14 +03:00
|
|
|
retention-days: 1
|
2021-10-14 14:32:50 +03:00
|
|
|
|
2021-08-10 14:32:44 +03:00
|
|
|
test:
|
2021-10-14 14:32:50 +03:00
|
|
|
defaults:
|
|
|
|
|
run:
|
|
|
|
|
working-directory: ${{ github.workspace }}
|
2021-08-10 14:32:44 +03:00
|
|
|
strategy:
|
|
|
|
|
fail-fast: false
|
|
|
|
|
matrix:
|
|
|
|
|
os: [ubuntu-latest, macos-latest, windows-latest]
|
|
|
|
|
|
|
|
|
|
runs-on: ${{ matrix.os }}
|
|
|
|
|
needs: [package]
|
|
|
|
|
steps:
|
2022-08-01 14:36:05 +03:00
|
|
|
- uses: actions/checkout@v3
|
|
|
|
|
- name: Fetch CodeQL
|
|
|
|
|
uses: ./.github/actions/fetch-codeql
|
2023-03-17 00:31:58 +03:00
|
|
|
|
|
|
|
|
- name: Download Ruby bundle
|
|
|
|
|
uses: actions/download-artifact@v3
|
|
|
|
|
with:
|
|
|
|
|
name: codeql-ruby-bundle
|
|
|
|
|
path: ${{ runner.temp }}
|
|
|
|
|
- name: Unzip Ruby bundle
|
|
|
|
|
shell: bash
|
|
|
|
|
run: unzip -q -d "${{ runner.temp }}/ruby-bundle" "${{ runner.temp }}/codeql-ruby-bundle.zip"
|
|
|
|
|
|
|
|
|
|
- name: Run QL test
|
|
|
|
|
shell: bash
|
|
|
|
|
run: |
|
|
|
|
|
codeql test run --search-path "${{ runner.temp }}/ruby-bundle" --additional-packs "${{ runner.temp }}/ruby-bundle" ruby/ql/test/library-tests/ast/constants/
|
|
|
|
|
- name: Create database
|
|
|
|
|
shell: bash
|
|
|
|
|
run: |
|
|
|
|
|
codeql database create --search-path "${{ runner.temp }}/ruby-bundle" --language ruby --source-root ruby/ql/test/library-tests/ast/constants/ ../database
|
|
|
|
|
- name: Analyze database
|
|
|
|
|
shell: bash
|
|
|
|
|
run: |
|
|
|
|
|
codeql database analyze --search-path "${{ runner.temp }}/ruby-bundle" --format=sarifv2.1.0 --output=out.sarif ../database ruby-code-scanning.qls
|
|
|
|
|
|
|
|
|
|
# This is a copy of the 'test' job that runs in a centos7 container.
|
|
|
|
|
# This tests that the extractor works correctly on systems with an old glibc.
|
|
|
|
|
test-centos7:
|
|
|
|
|
defaults:
|
|
|
|
|
run:
|
|
|
|
|
working-directory: ${{ github.workspace }}
|
|
|
|
|
strategy:
|
|
|
|
|
fail-fast: false
|
|
|
|
|
runs-on: ubuntu-latest
|
|
|
|
|
container:
|
|
|
|
|
image: centos:centos7
|
2023-03-17 00:59:49 +03:00
|
|
|
env:
|
|
|
|
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
2023-03-17 00:31:58 +03:00
|
|
|
needs: [package]
|
|
|
|
|
steps:
|
2023-03-17 00:59:49 +03:00
|
|
|
- name: Install gh cli
|
|
|
|
|
run: |
|
|
|
|
|
yum-config-manager --add-repo https://cli.github.com/packages/rpm/gh-cli.repo
|
2023-03-17 01:56:04 +03:00
|
|
|
# fetch-codeql requires unzip and jq
|
|
|
|
|
# jq is available in epel-release (https://docs.fedoraproject.org/en-US/epel/)
|
|
|
|
|
yum install -y gh unzip epel-release
|
|
|
|
|
yum install -y jq
|
2023-03-17 00:31:58 +03:00
|
|
|
- uses: actions/checkout@v3
|
|
|
|
|
- name: Fetch CodeQL
|
|
|
|
|
uses: ./.github/actions/fetch-codeql
|
2022-08-01 14:36:05 +03:00
|
|
|
|
2023-03-22 05:02:36 +03:00
|
|
|
# Due to a bug in Actions, we can't use runner.temp in the run blocks here.
|
2023-03-17 02:13:30 +03:00
|
|
|
# https://github.com/actions/runner/issues/2185
|
|
|
|
|
|
2021-08-10 14:32:44 +03:00
|
|
|
- name: Download Ruby bundle
|
2022-04-28 06:32:59 +03:00
|
|
|
uses: actions/download-artifact@v3
|
2021-08-10 14:32:44 +03:00
|
|
|
with:
|
|
|
|
|
name: codeql-ruby-bundle
|
2023-03-22 05:02:36 +03:00
|
|
|
path: ${{ runner.temp }}
|
2021-08-10 14:32:44 +03:00
|
|
|
- name: Unzip Ruby bundle
|
|
|
|
|
shell: bash
|
2023-03-22 05:02:36 +03:00
|
|
|
run: unzip -q -d "$RUNNER_TEMP"/ruby-bundle "$RUNNER_TEMP"/codeql-ruby-bundle.zip
|
2023-01-16 16:36:57 +03:00
|
|
|
|
2021-08-10 14:32:44 +03:00
|
|
|
- name: Run QL test
|
|
|
|
|
shell: bash
|
|
|
|
|
run: |
|
2023-03-22 05:02:36 +03:00
|
|
|
codeql test run --search-path "$RUNNER_TEMP"/ruby-bundle --additional-packs "$RUNNER_TEMP"/ruby-bundle ruby/ql/test/library-tests/ast/constants/
|
2021-08-10 14:32:44 +03:00
|
|
|
- name: Create database
|
|
|
|
|
shell: bash
|
|
|
|
|
run: |
|
2023-03-22 05:02:36 +03:00
|
|
|
codeql database create --search-path "$RUNNER_TEMP"/ruby-bundle --language ruby --source-root ruby/ql/test/library-tests/ast/constants/ ../database
|
2021-08-10 14:32:44 +03:00
|
|
|
- name: Analyze database
|
|
|
|
|
shell: bash
|
|
|
|
|
run: |
|
2023-03-22 05:02:36 +03:00
|
|
|
codeql database analyze --search-path "$RUNNER_TEMP"/ruby-bundle --format=sarifv2.1.0 --output=out.sarif ../database ruby-code-scanning.qls
|
