forked from surrealdb/surrealdb
-
Notifications
You must be signed in to change notification settings - Fork 0
84 lines (71 loc) · 2.71 KB
/
Copy pathcodeql.yml
File metadata and controls
84 lines (71 loc) · 2.71 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
# CodeQL security analysis for Rust
#
# This workflow performs static security analysis using GitHub CodeQL.
# It is configured to:
# - Run on main branch pushes and on a weekly schedule (not on PRs to avoid blocking merges)
# - Use build-mode: none to avoid full Rust compilation (saves significant disk space)
# - Clean up disk space before analysis to prevent out-of-space errors
#
# Results are uploaded to GitHub Security tab but do not block PR merges.
name: CodeQL
on:
push:
branches:
- main
- releases/**
schedule:
# Run weekly on Sunday at 3:00 AM UTC
- cron: "0 3 * * 0"
workflow_dispatch:
# Prevent multiple concurrent CodeQL analyses
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
permissions:
contents: read
jobs:
analyze:
name: Analyze Rust
runs-on: ubuntu-latest
timeout-minutes: 120
permissions:
# Required for all workflows
security-events: write
# Required to fetch internal or private CodeQL packs
packages: read
# Only required for workflows in private repositories
actions: read
contents: read
steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
with:
egress-policy: audit
- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
# Install Rust toolchain for rust-analyzer (used by CodeQL in build-mode: none)
- name: Setup environment
uses: ./.github/actions/setup-environment
- name: Initialize CodeQL
uses: github/codeql-action/init@5c8a8a642e79153f5d047b10ec1cba1d1cc65699 # v3.35.1
with:
languages: rust
# Use build-mode: none to avoid full Rust compilation
# This uses rust-analyzer to compile build scripts and macros only,
# dramatically reducing disk space usage compared to a full build
build-mode: none
# Use custom config to exclude test directories and reduce analysis scope
config-file: ./.github/codeql/codeql-config.yml
# Use the default CodeQL query suites for security analysis
queries: security-extended
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@5c8a8a642e79153f5d047b10ec1cba1d1cc65699 # v3.35.1
with:
category: "/language:rust"
# Upload results even if previous steps had warnings
upload: always
- name: Cleanup CodeQL database
if: always()
run: |
# Clean up the CodeQL database to free disk space
rm -rf "${{ runner.temp }}/codeql_databases" || true