Configure advanced codeql.yml scanning

It appears GH doesn't recognize our CodeQL pipeline and attempts to run its own default version. Rename the workflow to conform to what GH expects of the standard "advanced setup" for CodeQL, with some minor updates: - run on `release/*` branches - use the recommended job permissions - explicit `manual` build mode - use `c-cpp` instead of `cpp` - add a `codeql-config` file to ignore the test and vendor directories Based on recommendations here, which simple create the appropriate workflow: https://docs.github.com/en/enterprise-cloud@latest/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning-with-codeql-at-scale Signed-off-by: Hamza El-Saawy <[email protected]>
helsaawy · Aug 21, 2024 · 8048fb8 · 8048fb8
1 parent 4f3da95
commit 8048fb8
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 10 deletions.
diff --git a/.github/codeql/codeql-config.yml b/.github/codeql/codeql-config.yml
@@ -0,0 +1,8 @@
+name: "CodeQL config"
+
+queries:
+  - uses: default
+
+paths-ignore:
+  - "/vendor/"
+  - "/test/"
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -8,13 +8,13 @@
 # Additionally, see example CodeQL pipeline (in CodeQL repo):
 # https://github.com/github/codeql/blob/0342b3eba242476cea815e601942021092d0bc10/.github/workflows/codeql-analysis.yml
 
-name: "Code Scanning - CodeQL"
+name: "CodeQL"
 
 on:
   push:
-    branches: [main]
+    branches: [ "main", "release/*" ]
   pull_request:
-    branches: [main]
+    branches: [ "main", "release/*" ]
     paths-ignore:
       - "**/*.md"
       - "**/*.txt"
@@ -31,14 +31,22 @@ on:
 env:
   GO_VERSION: "1.21.x"
 
-permissions:
-  contents: read
-  packages: read
-  security-events: write
-
 jobs:
-  CodeQL-Build:
+  analyze:
+    name: Analyze (${{ matrix.language }})
     runs-on: ubuntu-latest
+
+    permissions:
+      # required for all workflows
+      security-events: write
+
+      # required to fetch internal or private CodeQL packs
+      packages: read
+
+      # only required for workflows in private repositories
+      actions: read
+      contents: read
+
     strategy:
       fail-fast: false
       matrix:
@@ -64,7 +72,7 @@ jobs:
               internal/tools/zapdir,
 
           - goos: linux
-            language: go, cpp
+            language: go, c-cpp
             targets: >-
               cmd/gcs,
               cmd/gcstools,
@@ -90,7 +98,9 @@ jobs:
       - name: CodeQL Initialize
         uses: github/codeql-action/init@v3
         with:
+          build-mode: manual
           languages: ${{matrix.language}}
+          config-file: ./.github/codeql/codeql-config.yml
 
       # build binaries
       - name: Build go binaries