name: "CodeQL" on: push: pull_request: concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.ref }} cancel-in-progress: true permissions: contents: read jobs: analyze: name: Analyze # Runner size impacts CodeQL analysis time. To learn more, please see: # - https://gh.io/recommended-hardware-resources-for-running-codeql # - https://gh.io/supported-runners-and-hardware-resources # - https://gh.io/using-larger-runners # Consider using larger runners for possible analysis time improvements. runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }} permissions: actions: read contents: read security-events: write strategy: fail-fast: false matrix: language: [ 'c-cpp' ] # CodeQL supports [ 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'swift' ] # Use only 'java-kotlin' to analyze code written in Java, Kotlin or both # Use only 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support steps: - name: Checkout repository uses: actions/checkout@v7 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL uses: github/codeql-action/init@v4 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. # By default, queries listed here will override any specified in a config file. # Prefix the list here with "+" to use these queries and those in the config file. # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs # queries: security-extended,security-and-quality config: | query-filters: - exclude: id: cpp/non-https-url - name: Install dependencies run: | sudo apt update sudo apt-get install -y ccache cmake g++ sudo apt-get install -y --allow-unauthenticated build-essential protobuf-c-compiler libprotobuf-c-dev bison flex libfribidi-dev \ librsvg2-dev colordiff libpq-dev libpng-dev libjpeg-dev libgif-dev libgeos-dev libfreetype6-dev libfcgi-dev libcurl4-gnutls-dev \ libcairo2-dev libgdal-dev libproj-dev libxml2-dev libexempi-dev libharfbuzz-dev # cache the .ccache directory # key it on the runner os, build type, deps, and arch # It's especially important to include arch in the key because we # may get runtime errors with -mavx2 from objects built on a # different architecture. - name: Restore build cache if: matrix.language == 'c-cpp' id: restore-cache uses: actions/cache/restore@v6 with: path: ${{ github.workspace }}/.ccache key: ${{ matrix.id }}-${{ steps.get-arch.outputs.arch }}-${{ github.ref_name }}-${{ github.run_id }} restore-keys: | ${{ matrix.id }}-${{ steps.get-arch.outputs.arch }}-${{ github.ref_name }} ${{ matrix.id }}-${{ steps.get-arch.outputs.arch }} - name: Configure ccache if: matrix.language == 'c-cpp' run: | echo CCACHE_BASEDIR=${{ github.workspace }} >> ${GITHUB_ENV} echo CCACHE_DIR=${{ github.workspace }}/.ccache >> ${GITHUB_ENV} echo CCACHE_MAXSIZE=250M >> ${GITHUB_ENV} ccache -z - name: Build if: matrix.language == 'c-cpp' run: | mkdir build cd build export CC="ccache gcc" export CXX="ccache g++" cmake .. -DCMAKE_BUILD_TYPE=RelWithDebInfo \ -DWITH_CLIENT_WMS=1 \ -DWITH_CLIENT_WFS=1 -DWITH_KML=1 -DWITH_SOS=1 \ -DWITH_THREAD_SAFETY=1 -DWITH_FRIBIDI=1 -DWITH_FCGI=1 -DWITH_EXEMPI=1 \ -DWITH_RSVG=1 -DWITH_CURL=1 -DWITH_HARFBUZZ=1 -DWITH_MSSQL2008=ON make -j$(nproc) - name: Summarize ccache if: matrix.language == 'c-cpp' run: | ccache -s - name: Save build cache if: matrix.language == 'c-cpp' uses: actions/cache/save@v6 with: path: ${{ github.workspace }}/.ccache key: ${{ steps.restore-cache.outputs.cache-primary-key }} - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v4 with: category: "/language:${{matrix.language}}"