entur · t-bern · Feb 7, 2025 · Jan 28, 2025 · Jan 28, 2025 · Feb 3, 2025
@@ -13,6 +13,16 @@ on:
         default: "security-extended"
         required: false
         type: string
+      job_runner:
+        description: 'Customizable job runner for CodeQL jobs that require a little extra performance/memory. List of runners is available in [Confluence](https://enturas.atlassian.net/wiki/spaces/ESP/pages/4989059095/GitHub+Actions+Runners).'
+        default: "ubuntu-24.04"
+        required: false
+        type: string
+      gradle_opts:
+        description: '[Gradle build options](https://docs.gradle.org/current/userguide/build_environment.html#environment_variables_reference) to pass on to the CodeQL scanner'
+        default: "-Dorg.gradle.jvmargs=-Xmx4g"
+        required: false
+        type: string
     secrets:
       external_repository_token:
         description: 'Token to access the external repository mentioned in the codescan.yml file. Must have read access to the repository.'
@@ -24,19 +34,45 @@ jobs:
   input_validation:
     runs-on: ubuntu-24.04
     steps:
-      - name: "Validate input CodeQL queries"
+      - name: "Validate inputs"
         env:
           CODEQL_QUERIES: ${{ inputs.codeql_queries }}
+          JOB_RUNNER: ${{ inputs.job_runner }}
         run: |
           python -c "import re
           import os
           codeql_queries = os.environ['CODEQL_QUERIES']
           regex_matches = re.findall(r'[^,\s?]+', codeql_queries)
+          job_runner = os.environ['JOB_RUNNER']
+          # Supported runners documented in confluence: https://enturas.atlassian.net/wiki/spaces/ESP/pages/4989059095/GitHub+Actions+Runners
+          supported_runners = [
+            'ubuntu-latest',
+            'ubuntu-24.04',
+            'ubuntu-22.04',
+            'ubuntu-20.04',
+            'windows-latest',
+            'windows-2025',
+            'windows-2022',
+            'windows-2019',
+            'macos-latest',
+            'macos-15',
+            'macos-14',
+            'macos-13',
+            'grp-ubuntu-24.04-2core-x64',
+            'grp-ubuntu-24.04-4core-x64',
+            'grp-ubuntu-24.04-8core-x64',
+            'grp-ubuntu-24.04-16core-x64',
+            'grp-ubuntu-22.04-4core-x64',
+            'grp-ubuntu-24.04-2core-a64',
+            ]
 
           if (len(regex_matches) <= 0):
-              print('Invalid input. codeql_queries is set to invalid list. Use a comma-separated list: default, security-extended')
-              os.system('''echo '## Code Scan - Invalid input\n codeql_queries is set to invalid list.\n Use a comma-separated list as example: default, security-extended' >> $GITHUB_STEP_SUMMARY''')
-              exit(1)
+            print('::error ::Invalid input. codeql_queries is set to invalid list. Use a comma-separated list: default, security-extended')
+            exit(1)
+
+          if (not job_runner in supported_runners):
+            print('::error ::Invalid input. Supported runners are: ', supported_runners)
+            exit(1)
 
           os.system('echo Validation passed')"
   upload-scan-reports-from-matching-pr:
@@ -349,7 +385,8 @@ jobs:
     # See https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#scanning-on-push
     # If we found a language, and the event is not a push made by dependabot on a PR
     if: ${{ needs.get-repository-languages.outputs.codeql_languages != '[]' && (github.event != 'push' || (github.event == 'push' && github.actor != 'dependabot[bot]')) }}
-    runs-on: ubuntu-24.04
+    # Runners are selected by labels: (default when you pass a string directly to runs-on) or group: "grp-runner". This snippet of code uses JSON to construct the group: object if the runner name starts with "grp-"
+    runs-on:  ${{ startsWith(inputs.job_runner, 'grp-') && fromJSON(format('{{"group":"{0}"}}', inputs.job_runner)) || inputs.job_runner }}
     needs: get-repository-languages
     permissions:
       # CodeQL - required for all workflows
@@ -398,7 +435,8 @@ jobs:
           ARTIFACTORY_AUTH_TOKEN: ${{ secrets.ARTIFACTORY_AUTH_TOKEN }}
           ARTIFACTORY_URL: ${{ vars.ARTIFACTORY_URL }}
           ARTIFACTORY_APIKEY: ${{ secrets.ARTIFACTORY_APIKEY }}
-          GRADLE_OPTS: -Dorg.gradle.jvmargs=-Xmx4g
+          GRADLE_OPTS: ${{ inputs.gradle_opts }}
+          IS_CODEQL_SCAN: true
 
       - name: "Get repository name"
         run: |
@@ -467,7 +505,7 @@ jobs:
                 inherit = '' if inherit is None else inherit
 
                 tmp_external_repository = str(inherit)
-                if not re.match('^[\w\.-]+$', tmp_external_repository):
+                if tmp_external_repository != "" and not re.match(r'^[\w\.-]+$', tmp_external_repository):
                   print(f'::warning ::Failed to fetch allowlist file from external repository due to name containing illegal characters ({tmp_external_repository})')
                 else:
                   external_repository = tmp_external_repository

@@ -82,7 +82,7 @@ jobs:
                 inherit = '' if inherit is None else inherit
 
                 tmp_external_repository = str(inherit)
-                if not re.match('^[\w\.-]+$', tmp_external_repository):
+                if tmp_external_repository != "" and not re.match(r'^[\w\.-]+$', tmp_external_repository):
                   print(f'::warning ::Failed to fetch allowlist file from external repository due to name containing illegal characters ({tmp_external_repository})')
                 else:
                   external_repository = tmp_external_repository

@@ -18,10 +18,12 @@ or add the Entur Shared Workflow _CodeQL Scan_. Go to the _Actions_ tab in your
 
 <!-- AUTO-DOC-INPUT:START - Do not remove or modify this section -->
 
-|                                      INPUT                                       |  TYPE   | REQUIRED |        DEFAULT        |                                                                            DESCRIPTION                                                                             |
-|----------------------------------------------------------------------------------|---------|----------|-----------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-|    <a name="input_codeql_queries"></a>[codeql_queries](#input_codeql_queries)    | string  |  false   | `"security-extended"` |                                Comma-separated list of queries for <br>CodeQL to run. By default <br>is set to security-extended.                                  |
-| <a name="input_use_setup_gradle"></a>[use_setup_gradle](#input_use_setup_gradle) | boolean |  false   |        `false`        | Use "gradle/action/setup-gradle" before running autobuild <br>(Java/Kotlin only). Potentially speeds up build <br>times if cache from main <br>branch is utilized  |
+|                                      INPUT                                       |  TYPE   | REQUIRED |             DEFAULT             |                                                                                                                DESCRIPTION                                                                                                                |
+|----------------------------------------------------------------------------------|---------|----------|---------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+|    <a name="input_codeql_queries"></a>[codeql_queries](#input_codeql_queries)    | string  |  false   |      `"security-extended"`      |                                                                    Comma-separated list of queries for <br>CodeQL to run. By default <br>is set to security-extended.                                                                     |
+|        <a name="input_gradle_opts"></a>[gradle_opts](#input_gradle_opts)         | string  |  false   | `"-Dorg.gradle.jvmargs=-Xmx4g"` |                                      [Gradle build options](https://docs.gradle.org/current/userguide/build_environment.html#environment_variables_reference) to pass on to <br>the CodeQL scanner                                        |
+|          <a name="input_job_runner"></a>[job_runner](#input_job_runner)          | string  |  false   |        `"ubuntu-24.04"`         | Customizable job runner for CodeQL <br>jobs that require a little <br>extra performance/memory. List of runners <br>is available in [Confluence](https://enturas.atlassian.net/wiki/spaces/ESP/pages/4989059095/GitHub+Actions+Runners).  |
+| <a name="input_use_setup_gradle"></a>[use_setup_gradle](#input_use_setup_gradle) | boolean |  false   |             `false`             |                                    Use "gradle/action/setup-gradle" before running autobuild <br>(Java/Kotlin only). Potentially speeds up build <br>times if cache from main <br>branch is utilized                                      |
 
 <!-- AUTO-DOC-INPUT:END -->
 
@@ -237,6 +239,12 @@ The comment needs to be set on first line of the root project file (build.gradle
 
 More detail about this fix in the [Github Issues thread](https://github.com/github/codeql-action/issues/1855#issuecomment-2161052577)
 
+### Code scanning is very slow or fails after a long timeout.
+
+It is now possible to override the runner used by GitHub to one with more cpu/ram. Input `CUSTOM_RUNNER`. The list of options is available in [Confluence](https://enturas.atlassian.net/wiki/spaces/ESP/pages/4989059095/GitHub+Actions+Runners)
+Gradle build options can also be overridden to increase jvm memory. Input `GRADLE_OPTS`.
+When CodeQL is triggered, the environment variable `IS_CODEQL_SCAN` is set to `true` which could be used to skip certain tests during build.
+
 ## Github Rulesets
 
 See [Security rulesets](README-security-rulesets.md) for how to setup code scanning merge protection ruleset.