On Fri, Feb 25, 2022 at 03:38:42PM +0000, Andrew Cooper wrote: > On 25/02/2022 15:19, Roger Pau Monne wrote: > > Introduce CodeQL support for Xen and analyze the C, Python and Go > > files. > > > > Note than when analyzing Python or Go we avoid building the hypervisor > > and only build the tools. > > > > Requested-by: Andrew Cooper <andrew.coop...@citrix.com> > > Signed-off-by: Roger Pau Monné <roger....@citrix.com> > > --- > > TBD: there's no limit in the number of scans here unlike Coverity, but > > each takes github minutes and we are limited to 2000 per month IIRC. > > We might want to not perform a scan for each push. > > We don't push very often, and github is slower at noticing anyway, so I > think we ought to be fine. > > We can always revisit the decision if we do end up hitting limits. > > > TBD: should we also disable the shim build? I'm not sure there's much > > value in analyzing it. > > Shim's logic is quite different in areas. I'd say it's worth keeping.
Ack to both. > > --- > > .github/workflows/codeql.yml | 59 ++++++++++++++++++++++++++++++++++++ > > 1 file changed, 59 insertions(+) > > create mode 100644 .github/workflows/codeql.yml > > > > diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml > > new file mode 100644 > > index 0000000000..5bfe478983 > > --- /dev/null > > +++ b/.github/workflows/codeql.yml > > @@ -0,0 +1,59 @@ > > +name: CodeQL > > As a thought... As we're considering doing cross-arm checks, should we > use an x86 suffix here ? It would be nice to handle all arches in the same file, but the divergences could be bigger than the shared parts, since setting up all the Arm cross-build env is likely not trivial. I also wonder how to tag x86 vs Arm databases, but I guess we will find a way. Maybe using the 'category' field for the analyze action? > > + > > +on: > > + workflow_dispatch: > > + push: > > + branches: [staging] > > + schedule: > > + - cron: '18 10 * * WED,SUN' # Bi-weekly at 10:18 UTC > > + > > +jobs: > > + analyse: > > + > > + strategy: > > + matrix: > > + language: [ 'cpp', 'python', 'go' ] > > + > > + runs-on: ubuntu-latest > > + > > + steps: > > + - name: Install build dependencies > > + run: | > > + sudo apt-get install -y wget git \ > > + libbz2-dev build-essential \ > > + zlib1g-dev libncurses5-dev iasl \ > > + libbz2-dev e2fslibs-dev uuid-dev libyajl-dev \ > > + autoconf libtool liblzma-dev \ > > + python3-dev golang python-dev libsystemd-dev > > + > > + - uses: actions/checkout@v2 > > + with: > > + ref: staging > > This one doesn't want to be forced to staging. The github integration > does work properly with different branches. Don't we need this so the `schedule` triggered run picks the staging branch instead of master? Thanks, Roger.
