Add workflow to run CodeQL on QL queries

rvermeulen · rvermeulen · commit 749ea8084ea7 · 2024-01-26T17:52:24.000-08:00
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -0,0 +1,32 @@
+name: CodeQL workflow for analyzing QL queries
+
+on:
+  workflow_dispatch:
+
+jobs:
+  analyze-ql-files:
+    name: Analyze QL files
+    runs-on: ubuntu-latest
+    steps:
+
+      - name: Install Nix
+        uses: cachix/install-nix-action@6004951b182f8860210c8d6f0d808ec5b1a33d28
+
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Create database
+        run: |
+          nix-shell --pure --command "codeql database create --language=ql --source=. $RUNNER_TEMP/ql-db" tooling/shell.nix
+
+      - name: Analyze database
+        run: |
+          nix-shell --pure --command "codeql database analyze --output=$RUNNER_TEMP/ql.sarif --format=sarif-latest --sarif-category=ql4ql -- $RUNNER_TEMP/ql-db codeql/ql" tooling/shell.nix
+
+      - name: Upload results
+        run: |
+          nix-shell --pure --command "codeql github upload-results --sarif=$RUNNER_TEMP/ql.sarif --repository=$GITHUB_REPOSITORY --ref=$GITHUB_REF --commit=$GITHUB_SHA" tooling/shell.nix
+
+
+
+
