# For most projects, this workflow file will not need changing; you simply need # to commit it to your repository. # # You may wish to alter this file to override the set of languages analyzed, # or to provide custom queries or build logic. name: "CodeQL Advanced" on: push: branches: [ "main" ] pull_request: branches: [ "main" ] schedule: - cron: '44 9 * * 5' # Runs every Friday at 9:44 AM concurrency: group: codeql_${{ github.ref }} cancel-in-progress: ${{ github.ref != 'refs/heads/main' }} jobs: setup-instance: runs-on: ubuntu-latest outputs: runner-name: ${{ steps.start-instance.outputs.label }} steps: - name: Start instance id: start-instance uses: zama-ai/slab-github-runner@f26b8d611b2e695158fb0a6980834f0612f65ef8 # v1.4.0 with: mode: start github-token: ${{ secrets.SLAB_ACTION_TOKEN }} slab-url: ${{ secrets.SLAB_BASE_URL }} job-secret: ${{ secrets.JOB_SECRET }} backend: aws profile: cpu-test analyze: needs: setup-instance name: Analyze (${{ matrix.language }}) # Runner size impacts CodeQL analysis time. To learn more, please see: # - https://gh.io/recommended-hardware-resources-for-running-codeql # - https://gh.io/supported-runners-and-hardware-resources # - https://gh.io/using-larger-runners (GitHub.com only) # Consider using larger runners or machines with greater resources for possible analysis time improvements. runs-on: ${{ (matrix.language == 'python' && 'ubuntu-latest') || needs.setup-instance.outputs.runner-name }} permissions: # required for all workflows security-events: write # required to fetch internal or private CodeQL packs packages: read # only required for workflows in private repositories actions: read contents: read strategy: fail-fast: false matrix: include: - language: c-cpp build-mode: manual - language: python build-mode: none # CodeQL supports the following values keywords for 'language': 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'swift' # Use `c-cpp` to analyze code written in C, C++ or both # Use 'java-kotlin' to analyze code written in Java, Kotlin or both # Use 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both # To learn more about changing the languages that are analyzed or customizing the build mode for your analysis, # see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning. # If you are analyzing a compiled language, you can modify the 'build-mode' for that language to customize how # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages steps: - if: matrix.build-mode == 'manual' name: Checkout repository (recursive) uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: submodules: recursive fetch-depth: 0 - if: matrix.build-mode != 'manual' name: Checkout repository uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5 with: python-version: '3.10' - name: Set up home # "Install rust" step require root user to have a HOME directory which is not set. run: | echo "HOME=/home/ubuntu" >> "${GITHUB_ENV}" - if: matrix.build-mode == 'manual' && matrix.language == 'c-cpp' name: Setup rust toolchain for concrete-cpu (Cpp) uses: ./.github/actions/setup_rust_toolchain_for_concrete_cpu - if: matrix.build-mode == 'manual' && matrix.language == 'c-cpp' name: Setup runtime (Cpp) shell: bash run: | set -e sudo apt-get update sudo apt install -y build-essential cmake ninja-build pip install -r ./third_party/llvm-project/mlir/python/requirements.txt pip install -r ./compilers/concrete-compiler/compiler/lib/Bindings/Python/requirements_dev.txt # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL uses: github/codeql-action/init@b56ba49b26e50535fa1e7f7db0f4f7b4bf65d80d # v3 with: languages: ${{ matrix.language }} build-mode: ${{ matrix.build-mode }} # If you wish to specify custom queries, you can do so here or in a config file. # By default, queries listed here will override any specified in a config file. # Prefix the list here with "+" to use these queries and those in the config file. # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs # queries: security-extended,security-and-quality # If the analyze step fails for one of the languages you are analyzing with # "We were unable to automatically build your code", modify the matrix above # to set the build mode to "manual" for that language. Then modify this step # to build your code. # ℹī¸ Command-line programs to run using the OS shell. # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun - if: matrix.build-mode == 'manual' && matrix.language == 'c-cpp' name: Manual Build (Cpp) shell: bash run: | cd compilers/concrete-compiler/compiler make concretecompiler python-bindings - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@b56ba49b26e50535fa1e7f7db0f4f7b4bf65d80d # v3 with: category: "/language:${{matrix.language}}" teardown-instance: needs: [ setup-instance, analyze ] if: ${{ always() && needs.setup-instance.result != 'skipped' }} runs-on: ubuntu-latest steps: - name: Stop instance id: stop-instance uses: zama-ai/slab-github-runner@f26b8d611b2e695158fb0a6980834f0612f65ef8 # v1.4.0 with: mode: stop github-token: ${{ secrets.SLAB_ACTION_TOKEN }} slab-url: ${{ secrets.SLAB_BASE_URL }} job-secret: ${{ secrets.JOB_SECRET }} label: ${{ needs.setup-instance.outputs.runner-name }}