--- # vi: ts=2 sw=2 et: # SPDX-License-Identifier: LGPL-2.1-or-later # name: "CodeQL" on: pull_request: branches: - main - v[0-9]+-stable paths: - '**/meson.build' - '.github/**/codeql*' - 'src/**' - 'test/**' - 'tools/**' push: branches: - main - v[0-9]+-stable permissions: contents: read jobs: analyze: name: Analyze if: github.repository != 'systemd/systemd-security' runs-on: ubuntu-24.04 concurrency: group: ${{ github.workflow }}-${{ matrix.language }}-${{ github.ref }} cancel-in-progress: true permissions: actions: read security-events: write strategy: fail-fast: false matrix: language: ['cpp', 'python'] steps: - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd with: persist-credentials: false - name: Initialize CodeQL uses: github/codeql-action/init@89a39a4e59826350b863aa6b6252a07ad50cf83e with: languages: ${{ matrix.language }} config-file: ./.github/codeql-config.yml - run: | sudo -E .github/workflows/unit-tests.sh SETUP # TODO: drop after we switch to ubuntu 26.04 bpftool_binary=$(find /usr/lib/linux-tools/ /usr/lib/linux-tools-* -name 'bpftool' -perm /u=x 2>/dev/null | sort -r | head -n1) if [ -n "$bpftool_binary" ]; then sudo rm -f /usr/{bin,sbin}/bpftool sudo ln -s "$bpftool_binary" /usr/bin/ fi - name: Autobuild uses: github/codeql-action/autobuild@89a39a4e59826350b863aa6b6252a07ad50cf83e - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@89a39a4e59826350b863aa6b6252a07ad50cf83e