Merge pull request #14908 from romeroalx/backport-13679-to-auth-4.7.x #13625
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: "CodeQL" | |
on: | |
push: | |
pull_request: | |
schedule: | |
- cron: '0 22 * * 2' | |
permissions: # least privileges, see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions | |
contents: read | |
jobs: | |
analyze: | |
name: Analyze | |
runs-on: ubuntu-20.04 | |
permissions: | |
actions: read # for github/codeql-action/init to get workflow details | |
contents: read # for actions/checkout to fetch code | |
security-events: write # for github/codeql-action/analyze to upload SARIF results | |
strategy: | |
fail-fast: false | |
matrix: | |
# Override automatic language detection by changing the below list | |
# Supported options are ['csharp', 'cpp', 'go', 'java', 'javascript', 'python'] | |
language: ['cpp'] | |
product: ['auth'] | |
# Learn more... | |
# https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#overriding-automatic-language-detection | |
steps: | |
- uses: PowerDNS/pdns/set-ubuntu-mirror@meta | |
- name: Checkout repository | |
uses: actions/checkout@v4 | |
with: | |
# We must fetch at least the immediate parents so that if this is | |
# a pull request then we can checkout the head. | |
fetch-depth: 2 | |
# Python is required for building the Authoritative server | |
- uses: actions/setup-python@v4 | |
with: | |
python-version: '3.8' | |
# Initializes the CodeQL tools for scanning. | |
- name: Initialize CodeQL | |
uses: github/codeql-action/init@v2 | |
with: | |
languages: ${{ matrix.language }} | |
queries: +security-and-quality | |
# TODO: go through +security-and-quality (400 alerts) once, then see if we can upgrade to it | |
# If you wish to specify custom queries, you can do so here or in a config file. | |
# By default, queries listed here will override any specified in a config file. | |
# Prefix the list here with "+" to use these queries and those in the config file. | |
# queries: ./path/to/local/query, your-org/your-repo/queries@main | |
# Autobuild attempts to build any compiled languages (C/C++, C#, or Java). | |
# If this step fails, then you should remove it and run the build manually (see below) | |
# - name: Autobuild | |
# uses: github/codeql-action/autobuild@v2 | |
# ℹ️ Command-line programs to run using the OS shell. | |
# 📚 https://git.io/JvXDl | |
# ✏️ If the Autobuild fails above, remove it and uncomment the following three lines | |
# and modify them (or add more) to build your code if your project | |
# uses a compiled language | |
- name: Update repository metadata | |
run: | | |
sudo apt-get update | |
- name: Install dependencies | |
run: | | |
sudo apt-get -qq -y --no-install-recommends --allow-downgrades install \ | |
bison \ | |
default-libmysqlclient-dev \ | |
flex \ | |
libboost-all-dev \ | |
libcap-dev \ | |
libcdb-dev \ | |
libcurl4-openssl-dev \ | |
libedit-dev \ | |
libfstrm-dev \ | |
libgeoip-dev \ | |
libgnutls28-dev \ | |
libh2o-evloop-dev \ | |
libkrb5-dev \ | |
libldap2-dev \ | |
liblmdb-dev \ | |
liblua5.3-dev \ | |
libmaxminddb-dev \ | |
libnghttp2-dev \ | |
libp11-kit-dev \ | |
libpq-dev \ | |
libre2-dev \ | |
libsnmp-dev \ | |
libsodium-dev \ | |
libsqlite3-dev \ | |
libssl-dev \ | |
libsystemd-dev \ | |
libwslay-dev \ | |
libyaml-cpp-dev \ | |
ragel \ | |
unixodbc-dev | |
- name: Build auth | |
if: matrix.product == 'auth' | |
run: | | |
autoreconf -vfi | |
./configure --with-modules='bind geoip gmysql godbc gpgsql gsqlite3 ldap lmdb lua2 pipe remote tinydns' --enable-tools --enable-ixfrdist --enable-dns-over-tls --enable-experimental-pkcs11 --with-libsodium --enable-lua-records CFLAGS='-O0' CXXFLAGS='-O0' | |
make -j8 -C ext | |
make -j8 -C modules | |
make -j8 -C pdns | |
- name: Perform CodeQL Analysis | |
uses: github/codeql-action/analyze@v2 |