kmod/.github/workflows/codeql.yml

# SPDX-FileCopyrightText: 2024 Emil Velikov <emil.l.velikov@gmail.com>
# SPDX-FileCopyrightText: 2024 Lucas De Marchi <lucas.de.marchi@gmail.com>
#
# SPDX-License-Identifier: LGPL-2.1-or-later

name: CodeQL

on:
  push:
    branches: [master, ci-test]
  pull_request:
    branches: [master]
  schedule:
    - cron: "30 2 * * 0"

env:
  KDIR: 'any'

permissions:
  contents: read

jobs:
  analyze:
    name: Analyze
    runs-on: ubuntu-24.04
    permissions:
      actions: read
      security-events: write

    strategy:
      fail-fast: false
      matrix:
        include:
          - container: 'ubuntu:24.04'
            meson_setup: '-D b_sanitize=none -D build-tests=false'

    container:
      image: ${{ matrix.container }}

    steps:
      - name: Checkout
        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1

      - name: Setup OS
        uses: ./.github/actions/setup-os

      - name: Initialize CodeQL
        uses: github/codeql-action/init@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9
        with:
          languages: cpp
          queries: +security-and-quality

      - name: Build
        run: |
          meson setup --native-file build-dev.ini ${{ matrix.meson_setup }} builddir/
          meson compile -C builddir/

      - name: Perform CodeQL Analysis
        uses: github/codeql-action/analyze@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9
        with:
          category: "/language:cpp"
          upload: false
          output: sarif-results

      - name: Filter out meson-internal test files
        uses: advanced-security/filter-sarif@f3b8118a9349d88f7b1c0c488476411145b6270d # v1.0.1
        with:
          patterns: |
            -builddir/meson-private/**/testfile.c
          input: sarif-results/cpp.sarif
          output: sarif-results/cpp.sarif

      - name: Upload CodeQL results to code scanning
        uses: github/codeql-action/upload-sarif@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9
        with:
          sarif_file: sarif-results/cpp.sarif
          category: "/language:cpp"