name: "CodeQL" on: push: branches: - main - "release/*" pull_request: branches: - "*" env: # Please ensure that this is in sync with graalAPIVersion in build.sbt graalVersion: 20.2.0 javaVersion: java11 # Please ensure that this is in sync with project/build.properties sbtVersion: 1.3.13 rustToolchain: nightly-2019-11-04 jobs: vuln-scan: name: Vulnerability Scan runs-on: ubuntu-latest steps: - name: Checkout repository uses: actions/checkout@v2 with: # We must fetch at least the immediate parents so that if this is # a pull request then we can checkout the head. fetch-depth: 2 # If this run was triggered by a pull request event, then checkout # the head of the pull request instead of the merge commit. - run: git checkout HEAD^2 if: ${{ github.event_name == 'pull_request' }} # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL uses: github/codeql-action/init@v1 with: languages: java # Set Up Environment - name: Install Rust uses: actions-rs/toolchain@v1 with: toolchain: ${{ env.rustToolchain }} override: true - name: Setup conda uses: s-weigand/setup-conda@v1 with: update-conda: false conda-channels: anaconda, conda-forge - name: Install FlatBuffers Compiler run: conda install --freeze-installed flatbuffers=1.12.0 - name: Setup GraalVM Environment uses: DeLaGuardo/setup-graalvm@2.0 with: graalvm-version: ${{ env.graalVersion }}.${{ env.javaVersion }} - name: Set Up SBT run: | curl --retry 4 --retry-connrefused -fsSL -o sbt.tgz https://github.com/sbt/sbt/releases/download/v${{env.sbtVersion}}/sbt-${{env.sbtVersion}}.tgz tar -xzf sbt.tgz echo ::add-path::$GITHUB_WORKSPACE/sbt/bin/ # Caches - name: Cache SBT uses: actions/cache@v2 with: path: | ~/.sbt ~/.ivy2/cache ~/.cache key: ${{ runner.os }}-sbt-${{ hashFiles('**build.sbt') }} restore-keys: ${{ runner.os }}-sbt- # Build - name: Bootstrap Enso project run: sbt --no-colors bootstrap - name: Build Enso run: sbt --no-colors compile # Analyse the Code - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v1