-
Notifications
You must be signed in to change notification settings - Fork 9
100 lines (88 loc) · 3.97 KB
/
codeql-analysis-reusable.yaml
File metadata and controls
100 lines (88 loc) · 3.97 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
#
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to you under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
name: codeql-analysis
on:
workflow_call:
inputs:
java-version:
description: The Java compiler version
default: 17
type: string
# CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'kotlin', 'python', 'ruby' ]
# Learn more about CodeQL language support at https://git.io/codeql-language-support
language:
description: Language used in the repository
default: java
type: string
jobs:
analyze:
name: Analyze
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # 4.2.2
- name: Initialize CodeQL
uses: github/codeql-action/init@45775bd8235c68ba998cffa5171334d58593da47 # 3.28.15
with:
# Also check GitHub Actions
languages: ${{ inputs.language }}, actions
- name: Setup JDK
uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # 4.7.1
with:
distribution: zulu
java-version: ${{ inputs.java-version }}
#
# Sets up Mimír (https://maveniverse.eu/docs/mimir/) to cache artifacts from remote repositories
#
# Unlike the local Maven repository, Mimír cannot be used to stage locally generated artifacts or snapshots.
# Therefore, it can be reused between builds, even on different architectures.
# Since the size of the cache increases in time, as we download new dependency versions, we reset the cache
# once a month.
#
# WARNING: Currently it is not possible to reuse GitHub workflow steps, therefore, these two steps must be
# copied to multiple workflows.
# The `build-reusable` workflow uses `actions/cache`,
# while the other workflows only use `actions/cache/restore`
#
- name: Set up Mimír configuration
shell: bash
run: |
# Compute the key cache
echo MIMIR_KEY="mimir-cache-$(date +'%Y-%m')" >> $GITHUB_ENV
# Mimir currently does not support relative paths, so we need to compute the absolute path of `mimir`.
echo MAVEN_OPTS="-Dmimir.daemon.passOnBasedir=true -Dmimir.daemon.autostop=true -Dmimir.basedir=$GITHUB_WORKSPACE/.mimir" >> $GITHUB_ENV
- name: Set up Mimír cache
uses: actions/cache/restore@5a3ec84eff668545956fd18022155c47e93e2684 # 4.2.3
with:
# Mimir is a partial mirror of Maven Central.
# Therefore, we only need to clean it from time to time to remove old versions.
#
# However, GitHub caches are immutable, and we need a unique key to update them.
# If no cache hit occurs for this key, we fall back to any other cache.
key: "${{ env.MIMIR_KEY }}-${{ hashFiles('**/pom.xml') }}"
restore-keys: |
${{ env.MIMIR_KEY }}-
path: .mimir/local
- name: Build with Maven
shell: bash
run: |
./mvnw \
--show-version --batch-mode --errors --no-transfer-progress \
-DskipTests \
clean verify
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@45775bd8235c68ba998cffa5171334d58593da47 # 3.28.15