зеркало из https://github.com/github/codeql.git
285 строки
10 KiB
YAML
285 строки
10 KiB
YAML
name: "Ruby: Build"
|
|
|
|
on:
|
|
push:
|
|
paths:
|
|
- "ruby/**"
|
|
- .github/workflows/ruby-build.yml
|
|
- .github/actions/fetch-codeql/action.yml
|
|
- codeql-workspace.yml
|
|
branches:
|
|
- main
|
|
- "rc/*"
|
|
pull_request:
|
|
paths:
|
|
- "ruby/**"
|
|
- .github/workflows/ruby-build.yml
|
|
- .github/actions/fetch-codeql/action.yml
|
|
- codeql-workspace.yml
|
|
branches:
|
|
- main
|
|
- "rc/*"
|
|
workflow_dispatch:
|
|
inputs:
|
|
tag:
|
|
description: "Version tag to create"
|
|
required: false
|
|
|
|
env:
|
|
CARGO_TERM_COLOR: always
|
|
|
|
defaults:
|
|
run:
|
|
working-directory: ruby
|
|
|
|
jobs:
|
|
build:
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
os: [ubuntu-latest, macos-latest, windows-latest]
|
|
|
|
runs-on: ${{ matrix.os }}
|
|
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
- name: Install GNU tar
|
|
if: runner.os == 'macOS'
|
|
run: |
|
|
brew install gnu-tar
|
|
echo "/usr/local/opt/gnu-tar/libexec/gnubin" >> $GITHUB_PATH
|
|
- name: Install cargo-cross
|
|
if: runner.os == 'Linux'
|
|
run: cargo install cross --version 0.2.5
|
|
- uses: ./.github/actions/os-version
|
|
id: os_version
|
|
- name: Cache entire extractor
|
|
uses: actions/cache@v3
|
|
id: cache-extractor
|
|
with:
|
|
path: |
|
|
ruby/extractor/target/release/codeql-extractor-ruby
|
|
ruby/extractor/target/release/codeql-extractor-ruby.exe
|
|
ruby/extractor/ql/lib/codeql/ruby/ast/internal/TreeSitter.qll
|
|
key: ${{ runner.os }}-${{ steps.os_version.outputs.version }}-ruby-extractor-${{ hashFiles('ruby/extractor/rust-toolchain.toml', 'ruby/extractor/Cargo.lock') }}-${{ hashFiles('shared/tree-sitter-extractor') }}-${{ hashFiles('ruby/extractor/**/*.rs') }}
|
|
- uses: actions/cache@v3
|
|
if: steps.cache-extractor.outputs.cache-hit != 'true'
|
|
with:
|
|
path: |
|
|
~/.cargo/registry
|
|
~/.cargo/git
|
|
ruby/target
|
|
key: ${{ runner.os }}-${{ steps.os_version.outputs.version }}-ruby-rust-cargo-${{ hashFiles('ruby/extractor/rust-toolchain.toml', 'ruby/extractor/**/Cargo.lock') }}
|
|
- name: Check formatting
|
|
if: steps.cache-extractor.outputs.cache-hit != 'true'
|
|
run: cd extractor && cargo fmt --all -- --check
|
|
- name: Build
|
|
if: steps.cache-extractor.outputs.cache-hit != 'true'
|
|
run: cd extractor && cargo build --verbose
|
|
- name: Run tests
|
|
if: steps.cache-extractor.outputs.cache-hit != 'true'
|
|
run: cd extractor && cargo test --verbose
|
|
# On linux, build the extractor via cross in a centos7 container.
|
|
# This ensures we don't depend on glibc > 2.17.
|
|
- name: Release build (linux)
|
|
if: steps.cache-extractor.outputs.cache-hit != 'true' && runner.os == 'Linux'
|
|
run: |
|
|
cd extractor
|
|
cross build --release
|
|
mv target/x86_64-unknown-linux-gnu/release/codeql-extractor-ruby target/release/
|
|
- name: Release build (windows and macos)
|
|
if: steps.cache-extractor.outputs.cache-hit != 'true' && runner.os != 'Linux'
|
|
run: cd extractor && cargo build --release
|
|
- name: Generate dbscheme
|
|
if: ${{ matrix.os == 'ubuntu-latest' && steps.cache-extractor.outputs.cache-hit != 'true'}}
|
|
run: extractor/target/release/codeql-extractor-ruby generate --dbscheme ql/lib/ruby.dbscheme --library ql/lib/codeql/ruby/ast/internal/TreeSitter.qll
|
|
- uses: actions/upload-artifact@v3
|
|
if: ${{ matrix.os == 'ubuntu-latest' }}
|
|
with:
|
|
name: ruby.dbscheme
|
|
path: ruby/ql/lib/ruby.dbscheme
|
|
- uses: actions/upload-artifact@v3
|
|
if: ${{ matrix.os == 'ubuntu-latest' }}
|
|
with:
|
|
name: TreeSitter.qll
|
|
path: ruby/ql/lib/codeql/ruby/ast/internal/TreeSitter.qll
|
|
- uses: actions/upload-artifact@v3
|
|
with:
|
|
name: extractor-${{ matrix.os }}
|
|
path: |
|
|
ruby/extractor/target/release/codeql-extractor-ruby
|
|
ruby/extractor/target/release/codeql-extractor-ruby.exe
|
|
retention-days: 1
|
|
compile-queries:
|
|
runs-on: ubuntu-latest-xl
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
- name: Fetch CodeQL
|
|
uses: ./.github/actions/fetch-codeql
|
|
- name: Cache compilation cache
|
|
id: query-cache
|
|
uses: ./.github/actions/cache-query-compilation
|
|
with:
|
|
key: ruby-build
|
|
- name: Build Query Pack
|
|
run: |
|
|
PACKS=${{ runner.temp }}/query-packs
|
|
rm -rf $PACKS
|
|
codeql pack create ../misc/suite-helpers --output "$PACKS"
|
|
codeql pack create ../shared/regex --output "$PACKS"
|
|
codeql pack create ../shared/ssa --output "$PACKS"
|
|
codeql pack create ../shared/tutorial --output "$PACKS"
|
|
codeql pack create ql/lib --output "$PACKS"
|
|
codeql pack create -j0 ql/src --output "$PACKS" --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
|
|
PACK_FOLDER=$(readlink -f "$PACKS"/codeql/ruby-queries/*)
|
|
codeql generate query-help --format=sarifv2.1.0 --output="${PACK_FOLDER}/rules.sarif" ql/src
|
|
(cd ql/src; find queries \( -name '*.qhelp' -o -name '*.rb' -o -name '*.erb' \) -exec bash -c 'mkdir -p "'"${PACK_FOLDER}"'/$(dirname "{}")"' \; -exec cp "{}" "${PACK_FOLDER}/{}" \;)
|
|
- uses: actions/upload-artifact@v3
|
|
with:
|
|
name: codeql-ruby-queries
|
|
path: |
|
|
${{ runner.temp }}/query-packs/*
|
|
retention-days: 1
|
|
|
|
package:
|
|
runs-on: ubuntu-latest
|
|
needs: [build, compile-queries]
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
- uses: actions/download-artifact@v3
|
|
with:
|
|
name: ruby.dbscheme
|
|
path: ruby/ruby
|
|
- uses: actions/download-artifact@v3
|
|
with:
|
|
name: extractor-ubuntu-latest
|
|
path: ruby/linux64
|
|
- uses: actions/download-artifact@v3
|
|
with:
|
|
name: extractor-windows-latest
|
|
path: ruby/win64
|
|
- uses: actions/download-artifact@v3
|
|
with:
|
|
name: extractor-macos-latest
|
|
path: ruby/osx64
|
|
- run: |
|
|
mkdir -p ruby
|
|
cp -r codeql-extractor.yml tools ql/lib/ruby.dbscheme.stats ruby/
|
|
mkdir -p ruby/tools/{linux64,osx64,win64}
|
|
cp linux64/codeql-extractor-ruby ruby/tools/linux64/extractor
|
|
cp osx64/codeql-extractor-ruby ruby/tools/osx64/extractor
|
|
cp win64/codeql-extractor-ruby.exe ruby/tools/win64/extractor.exe
|
|
chmod +x ruby/tools/{linux64,osx64}/extractor
|
|
zip -rq codeql-ruby.zip ruby
|
|
- uses: actions/upload-artifact@v3
|
|
with:
|
|
name: codeql-ruby-pack
|
|
path: ruby/codeql-ruby.zip
|
|
retention-days: 1
|
|
- uses: actions/download-artifact@v3
|
|
with:
|
|
name: codeql-ruby-queries
|
|
path: ruby/qlpacks
|
|
- run: |
|
|
echo '{
|
|
"provide": [
|
|
"ruby/codeql-extractor.yml",
|
|
"qlpacks/*/*/*/qlpack.yml"
|
|
]
|
|
}' > .codeqlmanifest.json
|
|
zip -rq codeql-ruby-bundle.zip .codeqlmanifest.json ruby qlpacks
|
|
- uses: actions/upload-artifact@v3
|
|
with:
|
|
name: codeql-ruby-bundle
|
|
path: ruby/codeql-ruby-bundle.zip
|
|
retention-days: 1
|
|
|
|
test:
|
|
defaults:
|
|
run:
|
|
working-directory: ${{ github.workspace }}
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
os: [ubuntu-latest, macos-latest, windows-latest]
|
|
|
|
runs-on: ${{ matrix.os }}
|
|
needs: [package]
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
- name: Fetch CodeQL
|
|
uses: ./.github/actions/fetch-codeql
|
|
|
|
- name: Download Ruby bundle
|
|
uses: actions/download-artifact@v3
|
|
with:
|
|
name: codeql-ruby-bundle
|
|
path: ${{ runner.temp }}
|
|
- name: Unzip Ruby bundle
|
|
shell: bash
|
|
run: unzip -q -d "${{ runner.temp }}/ruby-bundle" "${{ runner.temp }}/codeql-ruby-bundle.zip"
|
|
|
|
- name: Run QL test
|
|
shell: bash
|
|
run: |
|
|
codeql test run --search-path "${{ runner.temp }}/ruby-bundle" --additional-packs "${{ runner.temp }}/ruby-bundle" ruby/ql/test/library-tests/ast/constants/
|
|
- name: Create database
|
|
shell: bash
|
|
run: |
|
|
codeql database create --search-path "${{ runner.temp }}/ruby-bundle" --language ruby --source-root ruby/ql/test/library-tests/ast/constants/ ../database
|
|
- name: Analyze database
|
|
shell: bash
|
|
run: |
|
|
codeql database analyze --search-path "${{ runner.temp }}/ruby-bundle" --format=sarifv2.1.0 --output=out.sarif ../database ruby-code-scanning.qls
|
|
|
|
# This is a copy of the 'test' job that runs in a centos7 container.
|
|
# This tests that the extractor works correctly on systems with an old glibc.
|
|
test-centos7:
|
|
defaults:
|
|
run:
|
|
working-directory: ${{ github.workspace }}
|
|
strategy:
|
|
fail-fast: false
|
|
runs-on: ubuntu-latest
|
|
container:
|
|
image: centos:centos7
|
|
env:
|
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
needs: [package]
|
|
steps:
|
|
- name: Install gh cli
|
|
run: |
|
|
yum-config-manager --add-repo https://cli.github.com/packages/rpm/gh-cli.repo
|
|
# fetch-codeql requires unzip and jq
|
|
# jq is available in epel-release (https://docs.fedoraproject.org/en-US/epel/)
|
|
yum install -y gh unzip epel-release
|
|
yum install -y jq
|
|
- uses: actions/checkout@v3
|
|
- name: Fetch CodeQL
|
|
uses: ./.github/actions/fetch-codeql
|
|
|
|
# Due to a bug in Actions, we can't use runner.temp in the run blocks here.
|
|
# https://github.com/actions/runner/issues/2185
|
|
|
|
- name: Download Ruby bundle
|
|
uses: actions/download-artifact@v3
|
|
with:
|
|
name: codeql-ruby-bundle
|
|
path: ${{ runner.temp }}
|
|
- name: Unzip Ruby bundle
|
|
shell: bash
|
|
run: unzip -q -d "$RUNNER_TEMP"/ruby-bundle "$RUNNER_TEMP"/codeql-ruby-bundle.zip
|
|
|
|
- name: Run QL test
|
|
shell: bash
|
|
run: |
|
|
codeql test run --search-path "$RUNNER_TEMP"/ruby-bundle --additional-packs "$RUNNER_TEMP"/ruby-bundle ruby/ql/test/library-tests/ast/constants/
|
|
- name: Create database
|
|
shell: bash
|
|
run: |
|
|
codeql database create --search-path "$RUNNER_TEMP"/ruby-bundle --language ruby --source-root ruby/ql/test/library-tests/ast/constants/ ../database
|
|
- name: Analyze database
|
|
shell: bash
|
|
run: |
|
|
codeql database analyze --search-path "$RUNNER_TEMP"/ruby-bundle --format=sarifv2.1.0 --output=out.sarif ../database ruby-code-scanning.qls
|