netty5/.github/workflows/codeql-analysis.yml

103 lines
3.9 KiB
YAML
Raw Normal View History

# ----------------------------------------------------------------------------
# Copyright 2021 The Netty Project
#
# The Netty Project licenses this file to you under the Apache License,
# version 2.0 (the "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at:
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
# ----------------------------------------------------------------------------
# For most projects, this workflow file will not need changing; you simply need
# to commit it to your repository.
#
# You may wish to alter this file to override the set of languages analyzed,
# or to provide custom queries or build logic.
name: "CodeQL"
on:
push:
branches: ["4.1", main]
pull_request:
# The branches below must be a subset of the branches above
branches: ["4.1", main]
schedule:
- cron: '0 13 * * 3'
env:
MAVEN_OPTS: -Dhttp.keepAlive=false -Dmaven.wagon.http.pool=false -Dmaven.wagon.http.retryhandler.count=5 -Dmaven.wagon.httpconnectionManager.ttlSeconds=240
jobs:
analyze:
name: Analyze
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
# Override automatic language detection by changing the below list
# Supported options are ['csharp', 'cpp', 'go', 'java', 'javascript', 'python']
language: ['java', 'cpp' ]
# Learn more...
# https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#overriding-automatic-language-detection
steps:
- name: Checkout repository
uses: actions/checkout@v2
with:
# We must fetch at least the immediate parents so that if this is
# a pull request then we can checkout the head.
fetch-depth: 2
Bring forward build automation changes (#11052) This brings forward the build and release automation changes from 4.1 (#10879, #10883, #10884, #10886, #10888, #10889, #10893, #10900, #10933, #10945, #10966, #10968, #11002, and #11019) to 5.0. Details are as follows: * Use Github workflows for CI (#10879) Motivation: We should just use GitHub Actions for the CI Modifications: - Adjust docker / docker compose files - Add different workflows and jobs to deploy and build the project Result: Don't depend on external CI services * Fix non leak build condition * Only use build and deploy workflows for 4.1 for now * Add deploy job for cross compiled aarch64 (#10883) Motivation: We should also deploy snapshots for our cross compiled native jars. Modifications: - Add job and docker files for deploying cross compiled native jars - Ensure we map the maven cache into our docker containers Result: Deploy aarch64 jars and re-use cache * Use correct docker-compose file to deploy cross compiled artifacts * Use correct docker-compose task to deploy for cross compiled artifacts * Split pr and normal build (#10884) Motivation: We should better use seperate workflows for PR and normal builds Modifications: - Split workflows - Better cache reuse Result: Cleanup * Only deploy snapshots for one arch Motivation: We need to find a way to deploy SNAPSHOTS for different arch with the same timestamp. Otherwise it will cause problems. See https://github.com/netty/netty/issues/10887 Modification: Skip all other deploys then x86_64 Result: Users are able to use SNAPSHOTS for x86_6 * Use maven cachen when running analyze job (#10888) Motivation: To prevent failures to problems while downloading dependencies we shoud cache these Modifications: Add maven cache Result: No more failures due problems while downloading dependencies * Also include one PR job that uses boringssl (#10886) Motivation: When validating PRs we should also at least run one job that uses boringssl Modifications: - Add job that uses boringssl - Cleanup docker compose files - Fix buffer leak in test Result: Also run with boringssl when PRs are validated * Use matrix for job configurations (#10889) Motivation: We can use the matrix feature to define our jobs. This reduces a lot of config Modification: Use job matrix Result: Easier to maintain * Correctly deploy artifacts that are build on different archs (#10893) Motivation: We need to take special care when deploying snapshots as we need to generate the jars in multiple steps Modifications: - Use the nexus staging pluging to stage jars locally in multiple steps - Add extra job that will merge these staged jars and deploy these Result: Fixes https://github.com/netty/netty/issues/10887 * Dont use cron for PRs Motivation: It doesnt make sense to use cron for PRs Modifications: Remove cron config Result: Cleanup * We run all combinations when validate the PR, let's just use one type for normal push Motivation: Let us just only use one build config when building the 4.1 branch. Modifications: As we already do a full validation when doing the PR builds we can just only use one build config for pushes to the "main" branches Result: Faster build times * Update action-docker-layer-caching (#10900) Motivation: We are three releases behind. Modifications: Update to latest version Result: Use up-to-date action-docker-layer-caching version * Verify we can load native modules and add job that verifies on aarch64 as well (#10933) Motivation: As shown in the past we need to verify we actually can load the native as otherwise we may introduce regressions. Modifications: - Add new maven module which tests loading of native modules - Add job that will also test loading on aarch64 Result: Less likely to introduce regressions related to loading native code in the future * Let script fail if one command fail (#10945) Motivation: We should use `set -e` to ensure we fail the script if one command fails. Modifications: Add set -e to script Result: Fail fast * Use action to report unit test errors (#10966) Motivation: To make it easier to understand why the build fails lets use an action that will report which unit test failed Modifications: - Replace custom script with action-surefire-report Result: Easier to understand test failures * Use custom script to check for build failures (#10968) Motivation: It turns out we can't use the action to check for build failures as it can't be used when a PR is done from a fork. Let's just use our simple script. Modifications: - Replace action with custom script Result: Builds for PRs that are done via forks work again. * Publish test results after PR run (#11002) Motivation: To make it easier to understand why a build failed let us publish the rest results Modifications: Use a new workflow to be able to publish the test reports Result: Easier to understand why a PR did fail * Fix test reports name * Add workflow to cut releases (#11019) Motivation: Doing releases manually is error-prone, it would be better if we could do it via a workflow Modification: - Add workflow to cut releases - Add related scripts Result: Be able to easily cut a release via a workflow * Update build for master branch Motivation: The build changes were brought forward from 4.1, and contain many things specific to 4.1. Modification: Changed baseline Java version from 8 to 11, and changed branch references from "4.1" to "master". Result: Builds should now work for the master branch. Co-authored-by: Norman Maurer <norman_maurer@apple.com>
2021-03-02 17:44:03 +01:00
# Cache .m2/repository
- name: Cache local Maven repository
uses: actions/cache@v2
Bring forward build automation changes (#11052) This brings forward the build and release automation changes from 4.1 (#10879, #10883, #10884, #10886, #10888, #10889, #10893, #10900, #10933, #10945, #10966, #10968, #11002, and #11019) to 5.0. Details are as follows: * Use Github workflows for CI (#10879) Motivation: We should just use GitHub Actions for the CI Modifications: - Adjust docker / docker compose files - Add different workflows and jobs to deploy and build the project Result: Don't depend on external CI services * Fix non leak build condition * Only use build and deploy workflows for 4.1 for now * Add deploy job for cross compiled aarch64 (#10883) Motivation: We should also deploy snapshots for our cross compiled native jars. Modifications: - Add job and docker files for deploying cross compiled native jars - Ensure we map the maven cache into our docker containers Result: Deploy aarch64 jars and re-use cache * Use correct docker-compose file to deploy cross compiled artifacts * Use correct docker-compose task to deploy for cross compiled artifacts * Split pr and normal build (#10884) Motivation: We should better use seperate workflows for PR and normal builds Modifications: - Split workflows - Better cache reuse Result: Cleanup * Only deploy snapshots for one arch Motivation: We need to find a way to deploy SNAPSHOTS for different arch with the same timestamp. Otherwise it will cause problems. See https://github.com/netty/netty/issues/10887 Modification: Skip all other deploys then x86_64 Result: Users are able to use SNAPSHOTS for x86_6 * Use maven cachen when running analyze job (#10888) Motivation: To prevent failures to problems while downloading dependencies we shoud cache these Modifications: Add maven cache Result: No more failures due problems while downloading dependencies * Also include one PR job that uses boringssl (#10886) Motivation: When validating PRs we should also at least run one job that uses boringssl Modifications: - Add job that uses boringssl - Cleanup docker compose files - Fix buffer leak in test Result: Also run with boringssl when PRs are validated * Use matrix for job configurations (#10889) Motivation: We can use the matrix feature to define our jobs. This reduces a lot of config Modification: Use job matrix Result: Easier to maintain * Correctly deploy artifacts that are build on different archs (#10893) Motivation: We need to take special care when deploying snapshots as we need to generate the jars in multiple steps Modifications: - Use the nexus staging pluging to stage jars locally in multiple steps - Add extra job that will merge these staged jars and deploy these Result: Fixes https://github.com/netty/netty/issues/10887 * Dont use cron for PRs Motivation: It doesnt make sense to use cron for PRs Modifications: Remove cron config Result: Cleanup * We run all combinations when validate the PR, let's just use one type for normal push Motivation: Let us just only use one build config when building the 4.1 branch. Modifications: As we already do a full validation when doing the PR builds we can just only use one build config for pushes to the "main" branches Result: Faster build times * Update action-docker-layer-caching (#10900) Motivation: We are three releases behind. Modifications: Update to latest version Result: Use up-to-date action-docker-layer-caching version * Verify we can load native modules and add job that verifies on aarch64 as well (#10933) Motivation: As shown in the past we need to verify we actually can load the native as otherwise we may introduce regressions. Modifications: - Add new maven module which tests loading of native modules - Add job that will also test loading on aarch64 Result: Less likely to introduce regressions related to loading native code in the future * Let script fail if one command fail (#10945) Motivation: We should use `set -e` to ensure we fail the script if one command fails. Modifications: Add set -e to script Result: Fail fast * Use action to report unit test errors (#10966) Motivation: To make it easier to understand why the build fails lets use an action that will report which unit test failed Modifications: - Replace custom script with action-surefire-report Result: Easier to understand test failures * Use custom script to check for build failures (#10968) Motivation: It turns out we can't use the action to check for build failures as it can't be used when a PR is done from a fork. Let's just use our simple script. Modifications: - Replace action with custom script Result: Builds for PRs that are done via forks work again. * Publish test results after PR run (#11002) Motivation: To make it easier to understand why a build failed let us publish the rest results Modifications: Use a new workflow to be able to publish the test reports Result: Easier to understand why a PR did fail * Fix test reports name * Add workflow to cut releases (#11019) Motivation: Doing releases manually is error-prone, it would be better if we could do it via a workflow Modification: - Add workflow to cut releases - Add related scripts Result: Be able to easily cut a release via a workflow * Update build for master branch Motivation: The build changes were brought forward from 4.1, and contain many things specific to 4.1. Modification: Changed baseline Java version from 8 to 11, and changed branch references from "4.1" to "master". Result: Builds should now work for the master branch. Co-authored-by: Norman Maurer <norman_maurer@apple.com>
2021-03-02 17:44:03 +01:00
with:
path: ~/.m2/repository
key: ${{ runner.os }}-maven-${{ matrix.language }} ${{ hashFiles('**/pom.xml') }}
Bring forward build automation changes (#11052) This brings forward the build and release automation changes from 4.1 (#10879, #10883, #10884, #10886, #10888, #10889, #10893, #10900, #10933, #10945, #10966, #10968, #11002, and #11019) to 5.0. Details are as follows: * Use Github workflows for CI (#10879) Motivation: We should just use GitHub Actions for the CI Modifications: - Adjust docker / docker compose files - Add different workflows and jobs to deploy and build the project Result: Don't depend on external CI services * Fix non leak build condition * Only use build and deploy workflows for 4.1 for now * Add deploy job for cross compiled aarch64 (#10883) Motivation: We should also deploy snapshots for our cross compiled native jars. Modifications: - Add job and docker files for deploying cross compiled native jars - Ensure we map the maven cache into our docker containers Result: Deploy aarch64 jars and re-use cache * Use correct docker-compose file to deploy cross compiled artifacts * Use correct docker-compose task to deploy for cross compiled artifacts * Split pr and normal build (#10884) Motivation: We should better use seperate workflows for PR and normal builds Modifications: - Split workflows - Better cache reuse Result: Cleanup * Only deploy snapshots for one arch Motivation: We need to find a way to deploy SNAPSHOTS for different arch with the same timestamp. Otherwise it will cause problems. See https://github.com/netty/netty/issues/10887 Modification: Skip all other deploys then x86_64 Result: Users are able to use SNAPSHOTS for x86_6 * Use maven cachen when running analyze job (#10888) Motivation: To prevent failures to problems while downloading dependencies we shoud cache these Modifications: Add maven cache Result: No more failures due problems while downloading dependencies * Also include one PR job that uses boringssl (#10886) Motivation: When validating PRs we should also at least run one job that uses boringssl Modifications: - Add job that uses boringssl - Cleanup docker compose files - Fix buffer leak in test Result: Also run with boringssl when PRs are validated * Use matrix for job configurations (#10889) Motivation: We can use the matrix feature to define our jobs. This reduces a lot of config Modification: Use job matrix Result: Easier to maintain * Correctly deploy artifacts that are build on different archs (#10893) Motivation: We need to take special care when deploying snapshots as we need to generate the jars in multiple steps Modifications: - Use the nexus staging pluging to stage jars locally in multiple steps - Add extra job that will merge these staged jars and deploy these Result: Fixes https://github.com/netty/netty/issues/10887 * Dont use cron for PRs Motivation: It doesnt make sense to use cron for PRs Modifications: Remove cron config Result: Cleanup * We run all combinations when validate the PR, let's just use one type for normal push Motivation: Let us just only use one build config when building the 4.1 branch. Modifications: As we already do a full validation when doing the PR builds we can just only use one build config for pushes to the "main" branches Result: Faster build times * Update action-docker-layer-caching (#10900) Motivation: We are three releases behind. Modifications: Update to latest version Result: Use up-to-date action-docker-layer-caching version * Verify we can load native modules and add job that verifies on aarch64 as well (#10933) Motivation: As shown in the past we need to verify we actually can load the native as otherwise we may introduce regressions. Modifications: - Add new maven module which tests loading of native modules - Add job that will also test loading on aarch64 Result: Less likely to introduce regressions related to loading native code in the future * Let script fail if one command fail (#10945) Motivation: We should use `set -e` to ensure we fail the script if one command fails. Modifications: Add set -e to script Result: Fail fast * Use action to report unit test errors (#10966) Motivation: To make it easier to understand why the build fails lets use an action that will report which unit test failed Modifications: - Replace custom script with action-surefire-report Result: Easier to understand test failures * Use custom script to check for build failures (#10968) Motivation: It turns out we can't use the action to check for build failures as it can't be used when a PR is done from a fork. Let's just use our simple script. Modifications: - Replace action with custom script Result: Builds for PRs that are done via forks work again. * Publish test results after PR run (#11002) Motivation: To make it easier to understand why a build failed let us publish the rest results Modifications: Use a new workflow to be able to publish the test reports Result: Easier to understand why a PR did fail * Fix test reports name * Add workflow to cut releases (#11019) Motivation: Doing releases manually is error-prone, it would be better if we could do it via a workflow Modification: - Add workflow to cut releases - Add related scripts Result: Be able to easily cut a release via a workflow * Update build for master branch Motivation: The build changes were brought forward from 4.1, and contain many things specific to 4.1. Modification: Changed baseline Java version from 8 to 11, and changed branch references from "4.1" to "master". Result: Builds should now work for the master branch. Co-authored-by: Norman Maurer <norman_maurer@apple.com>
2021-03-02 17:44:03 +01:00
restore-keys: |
${{ runner.os }}-maven-${{ matrix.language }}
${{ runner.os }}-maven-
Bring forward build automation changes (#11052) This brings forward the build and release automation changes from 4.1 (#10879, #10883, #10884, #10886, #10888, #10889, #10893, #10900, #10933, #10945, #10966, #10968, #11002, and #11019) to 5.0. Details are as follows: * Use Github workflows for CI (#10879) Motivation: We should just use GitHub Actions for the CI Modifications: - Adjust docker / docker compose files - Add different workflows and jobs to deploy and build the project Result: Don't depend on external CI services * Fix non leak build condition * Only use build and deploy workflows for 4.1 for now * Add deploy job for cross compiled aarch64 (#10883) Motivation: We should also deploy snapshots for our cross compiled native jars. Modifications: - Add job and docker files for deploying cross compiled native jars - Ensure we map the maven cache into our docker containers Result: Deploy aarch64 jars and re-use cache * Use correct docker-compose file to deploy cross compiled artifacts * Use correct docker-compose task to deploy for cross compiled artifacts * Split pr and normal build (#10884) Motivation: We should better use seperate workflows for PR and normal builds Modifications: - Split workflows - Better cache reuse Result: Cleanup * Only deploy snapshots for one arch Motivation: We need to find a way to deploy SNAPSHOTS for different arch with the same timestamp. Otherwise it will cause problems. See https://github.com/netty/netty/issues/10887 Modification: Skip all other deploys then x86_64 Result: Users are able to use SNAPSHOTS for x86_6 * Use maven cachen when running analyze job (#10888) Motivation: To prevent failures to problems while downloading dependencies we shoud cache these Modifications: Add maven cache Result: No more failures due problems while downloading dependencies * Also include one PR job that uses boringssl (#10886) Motivation: When validating PRs we should also at least run one job that uses boringssl Modifications: - Add job that uses boringssl - Cleanup docker compose files - Fix buffer leak in test Result: Also run with boringssl when PRs are validated * Use matrix for job configurations (#10889) Motivation: We can use the matrix feature to define our jobs. This reduces a lot of config Modification: Use job matrix Result: Easier to maintain * Correctly deploy artifacts that are build on different archs (#10893) Motivation: We need to take special care when deploying snapshots as we need to generate the jars in multiple steps Modifications: - Use the nexus staging pluging to stage jars locally in multiple steps - Add extra job that will merge these staged jars and deploy these Result: Fixes https://github.com/netty/netty/issues/10887 * Dont use cron for PRs Motivation: It doesnt make sense to use cron for PRs Modifications: Remove cron config Result: Cleanup * We run all combinations when validate the PR, let's just use one type for normal push Motivation: Let us just only use one build config when building the 4.1 branch. Modifications: As we already do a full validation when doing the PR builds we can just only use one build config for pushes to the "main" branches Result: Faster build times * Update action-docker-layer-caching (#10900) Motivation: We are three releases behind. Modifications: Update to latest version Result: Use up-to-date action-docker-layer-caching version * Verify we can load native modules and add job that verifies on aarch64 as well (#10933) Motivation: As shown in the past we need to verify we actually can load the native as otherwise we may introduce regressions. Modifications: - Add new maven module which tests loading of native modules - Add job that will also test loading on aarch64 Result: Less likely to introduce regressions related to loading native code in the future * Let script fail if one command fail (#10945) Motivation: We should use `set -e` to ensure we fail the script if one command fails. Modifications: Add set -e to script Result: Fail fast * Use action to report unit test errors (#10966) Motivation: To make it easier to understand why the build fails lets use an action that will report which unit test failed Modifications: - Replace custom script with action-surefire-report Result: Easier to understand test failures * Use custom script to check for build failures (#10968) Motivation: It turns out we can't use the action to check for build failures as it can't be used when a PR is done from a fork. Let's just use our simple script. Modifications: - Replace action with custom script Result: Builds for PRs that are done via forks work again. * Publish test results after PR run (#11002) Motivation: To make it easier to understand why a build failed let us publish the rest results Modifications: Use a new workflow to be able to publish the test reports Result: Easier to understand why a PR did fail * Fix test reports name * Add workflow to cut releases (#11019) Motivation: Doing releases manually is error-prone, it would be better if we could do it via a workflow Modification: - Add workflow to cut releases - Add related scripts Result: Be able to easily cut a release via a workflow * Update build for master branch Motivation: The build changes were brought forward from 4.1, and contain many things specific to 4.1. Modification: Changed baseline Java version from 8 to 11, and changed branch references from "4.1" to "master". Result: Builds should now work for the master branch. Co-authored-by: Norman Maurer <norman_maurer@apple.com>
2021-03-02 17:44:03 +01:00
# If this run was triggered by a pull request event, then checkout
# the head of the pull request instead of the merge commit.
- run: git checkout HEAD^2
if: ${{ github.event_name == 'pull_request' }}
# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@v1
with:
languages: ${{ matrix.language }}
# If you wish to specify custom queries, you can do so here or in a config file.
# By default, queries listed here will override any specified in a config file.
# Prefix the list here with "+" to use these queries and those in the config file.
# queries: ./path/to/local/query, your-org/your-repo/queries@main
# Autobuild attempts to build any compiled languages (C/C++, C#, or Java).
# If this step fails, then you should remove it and run the build manually (see below)
# - name: Autobuild
# uses: github/codeql-action/autobuild@v1
# Command-line programs to run using the OS shell.
# 📚 https://git.io/JvXDl
# ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
# and modify them (or add more) to build your code if your project
# uses a compiled language
- uses: actions/setup-java@v1
with:
java-version: '11' # The JDK version to make available on the path.
- name: Compile project
run: ./mvnw -B -ntp clean package -DskipTests=true
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v1