Sunshine/.github/workflows/codeql.yml

---
# This action is centrally managed in https://github.com/<organization>/.github/
# Don't make changes to this file in this repo as they will be overwritten with changes made to the same file in
# the above-mentioned repo.

# This workflow will analyze all supported languages in the repository using CodeQL Analysis.

name: "CodeQL"

on:
  push:
    branches: ["master"]
  pull_request:
    branches: ["master"]
  schedule:
    - cron: '00 12 * * 0'  # every Sunday at 12:00 UTC

concurrency:
  group: "${{ github.workflow }}-${{ github.ref }}"
  cancel-in-progress: true

jobs:
  languages:
    name: Get language matrix
    runs-on: ubuntu-latest
    outputs:
      matrix: ${{ steps.lang.outputs.result }}
      continue: ${{ steps.continue.outputs.result }}
    steps:
      - name: Get repo languages
        uses: actions/github-script@v7
        id: lang
        with:
          script: |
            // CodeQL supports ['cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby', 'swift']
            // Use only 'java' to analyze code written in Java, Kotlin or both
            // Use only 'javascript' to analyze code written in JavaScript, TypeScript or both
            // Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
            const supported_languages = ['cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby', 'swift']

            const remap_languages = {
              'c++': 'cpp',
              'c#': 'csharp',
              'kotlin': 'java',
              'typescript': 'javascript',
            }

            const repo = context.repo
            const response = await github.rest.repos.listLanguages(repo)
            let matrix = {
              "include": []
            }

            for (let [key, value] of Object.entries(response.data)) {
              // remap language
              if (remap_languages[key.toLowerCase()]) {
                console.log(`Remapping language: ${key} to ${remap_languages[key.toLowerCase()]}`)
                key = remap_languages[key.toLowerCase()]
              }
              if (supported_languages.includes(key.toLowerCase())) {
                console.log(`Found supported language: ${key}`)
                let osList = ['ubuntu-latest'];
                if (key.toLowerCase() === 'swift') {
                  osList = ['macos-latest'];
                } else if (key.toLowerCase() === 'cpp') {
                  // TODO: update macos to latest after the below issue is resolved
                  // https://github.com/github/codeql-action/issues/2266
                  osList = ['macos-13', 'ubuntu-latest', 'windows-latest'];
                }
                for (let os of osList) {
                  // set name for matrix
                  if (osList.length == 1) {
                    name = key.toLowerCase()
                  } else {
                    name = `${key.toLowerCase()}, ${os}`
                  }

                  // add to matrix
                  matrix['include'].push({"language": key.toLowerCase(), "os": os, "name": name})
                }
              }
            }

            // print languages
            console.log(`matrix: ${JSON.stringify(matrix)}`)

            return matrix            

      - name: Continue
        uses: actions/github-script@v7
        id: continue
        with:
          script: |
            // if matrix['include'] is an empty list return false, otherwise true
            const matrix = ${{ steps.lang.outputs.result }}  // this is already json encoded

            if (matrix['include'].length == 0) {
              return false
            } else {
              return true
            }            

  analyze:
    name: Analyze (${{ matrix.name }})
    if: ${{ needs.languages.outputs.continue == 'true' }}
    defaults:
      run:
        shell: ${{ matrix.os == 'windows-latest' && 'msys2 {0}' || 'bash' }}
    env:
      GITHUB_CODEQL_BUILD: true
    needs: [languages]
    runs-on: ${{ matrix.os || 'ubuntu-latest' }}
    timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }}
    permissions:
      actions: read
      contents: read
      security-events: write

    strategy:
      fail-fast: false
      matrix: ${{ fromJson(needs.languages.outputs.matrix) }}

    steps:
      - name: Maximize build space
        if: >-
          runner.os == 'Linux' &&
          matrix.language == 'cpp'          
        uses: easimon/maximize-build-space@v10
        with:
          root-reserve-mb: 30720
          remove-dotnet: ${{ (matrix.language == 'csharp' && 'false') || 'true' }}
          remove-android: 'true'
          remove-haskell: 'true'
          remove-codeql: 'false'
          remove-docker-images: 'true'

      - name: Checkout repository
        uses: actions/checkout@v4
        with:
          submodules: recursive

      - name: Setup msys2
        if: >-
          runner.os == 'Windows' &&
          matrix.language == 'cpp'          
        uses: msys2/setup-msys2@v2
        with:
          msystem: ucrt64
          update: true

      # Initializes the CodeQL tools for scanning.
      - name: Initialize CodeQL
        uses: github/codeql-action/init@v3
        with:
          languages: ${{ matrix.language }}
          # If you wish to specify custom queries, you can do so here or in a config file.
          # By default, queries listed here will override any specified in a config file.
          # Prefix the list here with "+" to use these queries and those in the config file.

          # yamllint disable-line rule:line-length
          # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
          # queries: security-extended,security-and-quality
          config: |
            paths-ignore:
              - build
              - node_modules
              - third-party            

      # Pre autobuild
      # create a file named .codeql-prebuild-${{ matrix.language }}.sh in the root of your repository
      # create a file named .codeql-build-${{ matrix.language }}.sh in the root of your repository
      - name: Prebuild
        id: prebuild
        run: |
          # check if prebuild script exists
          filename=".codeql-prebuild-${{ matrix.language }}-${{ runner.os }}.sh"
          if [ -f "./${filename}" ]; then
            echo "Running prebuild script: ${filename}"
            ./${filename}
          fi          

      # Autobuild attempts to build any compiled languages (C/C++, C#, Go, Java, or Swift).
      - name: Autobuild
        if: steps.prebuild.outputs.skip_autobuild != 'true'
        uses: github/codeql-action/autobuild@v3

      - name: Perform CodeQL Analysis
        uses: github/codeql-action/analyze@v3
        with:
          category: "/language:${{matrix.language}}"
          output: sarif-results
          upload: failure-only

      - name: filter-sarif
        uses: advanced-security/filter-sarif@v1
        with:
          input: sarif-results/${{ matrix.language }}.sarif
          output: sarif-results/${{ matrix.language }}.sarif
          patterns: |
            -build/**
            -node_modules/**
            -third\-party/**            

      - name: Upload SARIF
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: sarif-results/${{ matrix.language }}.sarif

      - name: Upload loc as a Build Artifact
        uses: actions/upload-artifact@v4
        with:
          name: sarif-results-${{ matrix.language }}-${{ runner.os }}
          path: sarif-results
          retention-days: 1