Build and Publish Windows CodeQL queries #589
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Continuous integration action for the CodeQL components of this repo. | |
# This downloads the CodeQL CLI and then builds all the queries in the "windows-drivers" folder. | |
name: Build and Publish Windows CodeQL queries | |
on: | |
# Triggers the workflow on push or pull request events but only for the main and development branches | |
push: | |
branches: [ main, development ] | |
pull_request: | |
branches: [ main, development ] | |
# Allow manual scheduling | |
workflow_dispatch: | |
jobs: | |
build-publish: | |
runs-on: windows-latest | |
permissions: | |
contents: read | |
packages: write | |
steps: | |
- name: Enable long git paths | |
shell: cmd | |
run: git config --global core.longpaths true | |
- name: Clone self (windows-driver-developer-supplemental-tools) | |
uses: actions/checkout@v4 | |
with: | |
path: . | |
fetch-depth: 0 | |
- name: Download CodeQL CLI | |
uses: i3h/[email protected] | |
with: | |
owner: "github" | |
repo: "codeql-cli-binaries" | |
tag: "v2.15.4" | |
file: "codeql-win64.zip" | |
- name: Unzip CodeQL CLI | |
run: Expand-Archive -Path codeql-win64.zip -DestinationPath .\codeql-zip -Force | |
- name: Move CodeQL CLI folder to main subdirectory | |
shell: cmd | |
continue-on-error: true # Required because robocopy returns 1 on success | |
run: robocopy /S /move .\codeql-zip\codeql .\codeql-cli\ | |
- name: Install CodeQL pack dependencies | |
shell: cmd | |
run: | | |
pushd .\src | |
..\codeql-cli\codeql.cmd pack install | |
popd | |
- name: codeql version test | |
run: .\codeql-cli\codeql.exe version | |
- name: Setup Python | |
uses: actions/setup-python@v5 | |
with: | |
python-version: 3.11 | |
- name: Install Python Packages | |
run: | | |
python -m pip install --upgrade pip | |
pip install -r .\src\drivers\test\requirements.txt | |
- name: Add msbuild to PATH | |
uses: microsoft/setup-msbuild@v2 | |
- name: Run test script | |
shell: pwsh | |
continue-on-error: true # Allow script to return non-zero exit code | |
env: | |
CONNECTION_STRING: ${{ secrets.CONNECTION_STRING }} | |
ACCOUNT_KEY: ${{ secrets.ACCOUNT_KEY }} | |
SHARE_NAME: ${{ secrets.SHARE_NAME }} | |
CONTAINER_NAME: ${{ secrets.CONTAINER_NAME }} | |
ACCOUNT_NAME: ${{ secrets.ACCOUNT_NAME }} | |
run: python src\drivers\test\build_create_analyze_test.py --codeql_path .\codeql-cli\codeql.exe --no_build --compare_results --connection_string "$env:CONNECTION_STRING" --share_name "$env:SHARE_NAME" --container_name "$env:CONTAINER_NAME" --storage_account_key "$env:ACCOUNT_KEY" --storage_account_name "$env:ACCOUNT_NAME" | |
- name: Build must-fix driver suite | |
shell: cmd | |
run: .\codeql-cli\codeql.cmd query compile --check-only windows_mustfix_partial.qls | |
- name: Build recommended driver suite | |
shell: cmd | |
run: .\codeql-cli\codeql.cmd query compile --check-only windows_recommended_partial.qls | |
- name: Build CA ported queries | |
shell: cmd | |
run: .\codeql-cli\codeql.cmd query compile --check-only ported_driver_ca_checks.qls | |
- name: Build all Windows queries | |
shell: cmd | |
run: .\codeql-cli\codeql.cmd query compile --check-only .\src | |
- name: Check for changes to qlpack | |
shell: pwsh | |
run: | |
$qlpack_diff = git diff HEAD~1:src/qlpack.yml src/qlpack.yml; | |
$rec_diff = git diff HEAD~1:src/windows-driver-suites/windows_recommended_partial.qls src/windows-driver-suites/windows_recommended_partial.qls; | |
$mf_diff = git diff HEAD~1:src/windows-driver-suites/windows_mustfix_partial.qls src/windows-driver-suites/windows_mustfix_partial.qls; | |
if (!$qlpack_diff -and ($rec_diff -or $mf_diff)) { "Query suite file updated without updating qlpack version"; exit 1 } | |
$last_qlpack_commit = git log -n 1 --pretty=format:%H -- src/qlpack.yml; | |
$qlpack_changes =git show $last_qlpack_commit -- .\src\qlpack.yml; | |
$last_mf_commit = git log -n 1 --pretty=format:%H -- src/windows-driver-suites/windows_mustfix_partial.qls; | |
$last_rec_commit = git log -n 1 --pretty=format:%H -- src/windows-driver-suites/windows_recommended_partial.qls; | |
$commits_since_qlpack_change = [int](git rev-list --count HEAD...$last_qlpack_commit); | |
$commits_since_mf_change = [int](git rev-list --count HEAD...$last_mf_commit); | |
$commits_since_rec_change = [int](git rev-list --count HEAD...$last_rec_commit); | |
if ($commits_since_qlpack_change -gt $commits_since_mf_change) { "Mustfix query suite file modified without updating version"; exit 1 }; | |
if ($commits_since_qlpack_change -gt $commits_since_rec_change) {"Recommended query suite file modified without updating version"; exit 1 }; | |
try{$old_qlpack_version = [version]($qlpack_changes -match "-version").Substring(10);} catch {"Changed qlpack.yml without updating version"; exit 1 } | |
try{$new_qlpack_version = [version]($qlpack_changes -match "\+version").Substring(10);} catch {"Changed qlpack.yml without updating version"; exit 1 } | |
if ($new_qlpack_version -gt $old_qlpack_version) { exit 0 } else { "qlpack.yml version not incremented"; exit 1 } | |
- name: Publish New CodeQL Pack | |
shell: pwsh | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
run: | |
$build = git rev-parse --short HEAD; | |
$version =( Select-String .\src\qlpack.yml -Pattern "version").line; | |
$new_ver = "$version-alpha+$build"; | |
(Get-Content .\src\qlpack.yml).Replace($version, $new_ver) | Set-Content .\src\qlpack.yml; | |
.\codeql-cli\codeql.cmd pack publish --allow-prerelease ./src; | |