Python: Promote Template Injection query from experimental #23272
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Check framework coverage changes | |
on: | |
pull_request: | |
paths: | |
- ".github/workflows/csv-coverage-pr-comment.yml" | |
- ".github/workflows/csv-coverage-pr-artifacts.yml" | |
- ".github/actions/fetch-codeql/action.yml" | |
- "*/ql/src/**/*.ql" | |
- "*/ql/src/**/*.qll" | |
- "*/ql/lib/**/*.ql" | |
- "*/ql/lib/**/*.qll" | |
- "*/ql/lib/ext/**/*.yml" | |
- "misc/scripts/library-coverage/*.py" | |
# input data files | |
- "*/documentation/library-coverage/cwe-sink.csv" | |
- "*/documentation/library-coverage/frameworks.csv" | |
branches: | |
- main | |
- "rc/*" | |
permissions: | |
contents: read | |
pull-requests: read | |
jobs: | |
generate: | |
name: Generate framework coverage artifacts | |
runs-on: ubuntu-latest | |
steps: | |
- name: Dump GitHub context | |
env: | |
GITHUB_CONTEXT: ${{ toJSON(github.event) }} | |
run: echo "$GITHUB_CONTEXT" | |
- name: Clone self (github/codeql) - MERGE | |
uses: actions/checkout@v4 | |
with: | |
path: merge | |
- name: Clone self (github/codeql) - BASE | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 2 | |
path: base | |
- run: | | |
git checkout HEAD^1 | |
git log -1 --format='%H' | |
working-directory: base | |
- name: Set up Python 3.8 | |
uses: actions/setup-python@v4 | |
with: | |
python-version: 3.8 | |
- name: Download CodeQL CLI | |
uses: ./merge/.github/actions/fetch-codeql | |
- name: Generate CSV files on merge commit of the PR | |
run: | | |
echo "Running generator on merge" | |
python merge/misc/scripts/library-coverage/generate-report.py ci merge merge | |
mkdir out_merge | |
cp framework-coverage-*.csv out_merge/ | |
cp framework-coverage-*.rst out_merge/ | |
- name: Generate CSV files on base commit of the PR | |
run: | | |
echo "Running generator on base" | |
python base/misc/scripts/library-coverage/generate-report.py ci base base | |
mkdir out_base | |
cp framework-coverage-*.csv out_base/ | |
cp framework-coverage-*.rst out_base/ | |
- name: Generate diff of coverage reports | |
run: | | |
python base/misc/scripts/library-coverage/compare-folders.py out_base out_merge comparison.md | |
- name: Upload CSV package list | |
uses: actions/upload-artifact@v4 | |
with: | |
name: csv-framework-coverage-merge | |
path: | | |
out_merge/framework-coverage-*.csv | |
out_merge/framework-coverage-*.rst | |
- name: Upload CSV package list | |
uses: actions/upload-artifact@v4 | |
with: | |
name: csv-framework-coverage-base | |
path: | | |
out_base/framework-coverage-*.csv | |
out_base/framework-coverage-*.rst | |
- name: Upload comparison results | |
uses: actions/upload-artifact@v4 | |
with: | |
name: comparison | |
path: | | |
comparison.md | |
- name: Save PR number | |
run: | | |
mkdir -p pr | |
echo ${PR_NUMBER} > pr/NR | |
env: | |
PR_NUMBER: ${{ github.event.pull_request.number }} | |
- name: Upload PR number | |
uses: actions/upload-artifact@v4 | |
with: | |
name: pr | |
path: pr/ | |
- name: Save comment ID (if it exists) | |
run: | | |
# Find the latest comment starting with COMMENT_PREFIX | |
COMMENT_PREFIX=":warning: The head of this PR and the base branch were compared for differences in the framework coverage reports." | |
COMMENT_ID=$(gh api "repos/${GITHUB_REPOSITORY}/issues/${PR_NUMBER}/comments" --paginate | jq --arg prefix "${COMMENT_PREFIX}" 'map(select(.body|startswith($prefix)) | .id) | max // empty') | |
if [[ -z ${COMMENT_ID} ]] | |
then | |
echo "Comment not found. Not uploading 'comment/ID' artifact." | |
else | |
mkdir -p comment | |
echo ${COMMENT_ID} > comment/ID | |
fi | |
env: | |
GITHUB_TOKEN: ${{ github.token }} | |
PR_NUMBER: ${{ github.event.pull_request.number }} | |
- name: Upload comment ID (if it exists) | |
uses: actions/upload-artifact@v4 | |
with: | |
name: comment | |
path: comment/ | |
if-no-files-found: ignore |