Fix CodeQL builds (#38629)
* trying to fix codeql issue
* testing the workflow
* clean out build output for linux_gccd debug workflow
* deactivate darwin + others which are not used anyways
* deactivate Build on Linux release
* have less build steps with CodeQL
* do not submit CodeQL analysis of tests
* disabling some checks
* adding two query suites
diff --git a/.github/actions/perform-codeql-analysis/action.yaml b/.github/actions/perform-codeql-analysis/action.yaml
index f1caf10..7be3ac5 100644
--- a/.github/actions/perform-codeql-analysis/action.yaml
+++ b/.github/actions/perform-codeql-analysis/action.yaml
@@ -8,7 +8,7 @@
using: "composite"
steps:
- name: Perform CodeQL Analysis
- uses: github/codeql-action/analyze@v2
+ uses: github/codeql-action/analyze@v3
with:
category: "/language:${{ inputs.language }}"
upload: False
@@ -19,11 +19,18 @@
patterns: |
-**/third_party/**
-**/scripts/**
+ -**/tests/**
+
+ # Disabling checks that are not too important, and that result in many hundreds of alerts due to generated code
+ # Disable checks: No trivial switch statements
+ -**/*.cpp:cpp/trivial-switch
+ # Disable check: Empty branch of conditional
+ -**/*.cpp:cpp/empty-block
input: "sarif-results/${{ inputs.language }}.sarif"
output: "sarif-results/${{ inputs.language }}.sarif"
- name: Upload SARIF
- uses: github/codeql-action/upload-sarif@v2
+ uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: "sarif-results/${{ inputs.language }}.sarif"
- name: Upload loc as a Build Artifact
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index eee1bf9..ad1149e 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -75,27 +75,49 @@
uses: github/codeql-action/init@v3
with:
languages: "cpp"
+ queries: security-extended, security-and-quality
- name: Setup Build
run: scripts/build/gn_gen.sh --args="chip_config_memory_debug_checks=true chip_config_memory_debug_dmalloc=false"
- name: Run Build
run: scripts/run_in_build_env.sh "ninja -C ./out"
- name: Run Tests
run: scripts/tests/gn_tests.sh
+ - name: Clean out build output
+ run: rm -rf ./out
+
+ # Do not run below steps with CodeQL since we are getting "Out of runner space issues" with CodeQL and their added coverage is limited
- name: Set up Build Without Detail Logging
+ if: inputs.run-codeql != true
run: scripts/build/gn_gen.sh --args="chip_detail_logging=false"
- name: Run Build Without Detail Logging
+ if: inputs.run-codeql != true
run: scripts/run_in_build_env.sh "ninja -C ./out"
+ - name: Cleanout build output
+ if: inputs.run-codeql != true
+ run: rm -rf ./out
- name: Set up Build Without Progress Logging
+ if: inputs.run-codeql != true
run: scripts/build/gn_gen.sh --args="chip_detail_logging=false chip_progress_logging=false"
- name: Run Build Without Progress Logging
+ if: inputs.run-codeql != true
run: scripts/run_in_build_env.sh "ninja -C ./out"
+ - name: Clean out build output
+ if: inputs.run-codeql != true
+ run: rm -rf ./out
- name: Set up Build Without Error Logging
+ if: inputs.run-codeql != true
run: scripts/build/gn_gen.sh --args="chip_detail_logging=false chip_progress_logging=false chip_error_logging=false"
- name: Run Build Without Error Logging
+ if: inputs.run-codeql != true
run: scripts/run_in_build_env.sh "ninja -C ./out"
+ - name: Clean out build output
+ if: inputs.run-codeql != true
+ run: rm -rf ./out
- name: Set up Build Without Logging
+ if: inputs.run-codeql != true
run: scripts/build/gn_gen.sh --args="chip_logging=false"
- name: Run Build Without Logging
+ if: inputs.run-codeql != true
run: scripts/run_in_build_env.sh "ninja -C ./out"
- name: Uploading core files
uses: actions/upload-artifact@v4
@@ -128,7 +150,7 @@
name: Build on Linux (fake, gcc_release, clang, simulated)
runs-on: ubuntu-latest
- if: github.actor != 'restyled-io[bot]'
+ if: github.actor != 'restyled-io[bot]' && inputs.run-codeql != true
container:
image: ghcr.io/project-chip/chip-build:125
@@ -161,11 +183,13 @@
uses: ./.github/actions/checkout-submodules-and-bootstrap
with:
platform: linux
- - name: Initialize CodeQL
- if: ${{ inputs.run-codeql }}
- uses: github/codeql-action/init@v3
- with:
- languages: "cpp"
+ # CodeQL + this job is consistently failing (in the step "Run Tests with sanitizers")
+ # deactivate until a better workaround is found
+ # - name: Initialize CodeQL
+ # if: ${{ inputs.run-codeql }}
+ # uses: github/codeql-action/init@v3
+ # with:
+ # languages: "cpp"
- name: Setup and Build Simulated Device
run: |
BUILD_TYPE=simulated
@@ -270,11 +294,13 @@
run: |
./scripts/run_in_build_env.sh \
"./scripts/build/build_examples.py --target linux-fake-tests build"
- - name: Perform CodeQL Analysis
- if: ${{ inputs.run-codeql }}
- uses: ./.github/actions/perform-codeql-analysis
- with:
- language: cpp
+ # CodeQL + this job is consistently failing (in the step "Run Tests with sanitizers")
+ # deactivate until a better solution is found
+ # - name: Perform CodeQL Analysis
+ # if: ${{ inputs.run-codeql }}
+ # uses: ./.github/actions/perform-codeql-analysis
+ # with:
+ # language: cpp
- name: Uploading core files
uses: actions/upload-artifact@v4
@@ -302,7 +328,7 @@
name: Build on Linux (python_lib)
runs-on: ubuntu-latest
- if: github.actor != 'restyled-io[bot]'
+ if: github.actor != 'restyled-io[bot]' && inputs.run-codeql != true
container:
image: ghcr.io/project-chip/chip-build:125
@@ -367,7 +393,7 @@
name: Build on Linux (python lighting-app)
runs-on: ubuntu-latest
- if: github.actor != 'restyled-io[bot]'
+ if: github.actor != 'restyled-io[bot]' && inputs.run-codeql != true
container:
image: ghcr.io/project-chip/chip-build:125
@@ -400,7 +426,7 @@
build_darwin:
name: Build on Darwin (clang, simulated)
runs-on: macos-13
- if: github.actor != 'restyled-io[bot]'
+ if: github.actor != 'restyled-io[bot]' && inputs.run-codeql != true
steps:
- name: Checkout
@@ -415,11 +441,12 @@
- name: Try to ensure the directory for diagnostic log collection exists
run: |
mkdir -p ~/Library/Logs/DiagnosticReports || true
- - name: Initialize CodeQL
- if: ${{ inputs.run-codeql }}
- uses: github/codeql-action/init@v3
- with:
- languages: "cpp"
+ # Build on Darwin + CodeQL often takes 6 hours (which is more than the maximum allowed by GitHub Runners), Deactivate it until we can investigate this
+ # - name: Initialize CodeQL
+ # if: ${{ inputs.run-codeql }}
+ # uses: github/codeql-action/init@v3
+ # with:
+ # languages: "cpp"
- name: Setup and Build Simulated Device
run: |
@@ -473,11 +500,12 @@
name: crash-log-darwin
path: ~/Library/Logs/DiagnosticReports/
- - name: Perform CodeQL Analysis
- if: ${{ inputs.run-codeql }}
- uses: ./.github/actions/perform-codeql-analysis
- with:
- language: cpp
+ # Build on Darwin + CodeQL often takes 6 hours (which is more than the maximum allowed by GitHub Runners), Deactivate it until we can investigate this
+ # - name: Perform CodeQL Analysis
+ # if: ${{ inputs.run-codeql }}
+ # uses: ./.github/actions/perform-codeql-analysis
+ # with:
+ # language: cpp
# TODO Log Upload https://github.com/project-chip/connectedhomeip/issues/2227
# TODO https://github.com/project-chip/connectedhomeip/issues/1512
@@ -488,7 +516,7 @@
env:
TSAN_OPTIONS: "halt_on_error=1 suppressions=scripts/tests/chiptest/tsan-linux-suppressions.txt"
- if: github.actor != 'restyled-io[bot]'
+ if: github.actor != 'restyled-io[bot]' && inputs.run-codeql != true
runs-on: ubuntu-latest
container:
