Activate codeql on selfhost instance

sapcc · Apr 10, 2024 · efa23e6 · efa23e6
1 parent bdcb912
commit efa23e6
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 4 deletions.
diff --git a/internal/ghworkflow/render.go b/internal/ghworkflow/render.go
@@ -35,6 +35,7 @@ func Render(cfg core.Configuration) {
 	must.Succeed(os.MkdirAll(workflowDir, 0o755))
 
 	// remove renamed files
+	must.Succeed(os.RemoveAll(filepath.Join(workflowDir, "codeql.yml")))
 	must.Succeed(os.RemoveAll(filepath.Join(workflowDir, "dependency-review.yaml")))
 	must.Succeed(os.RemoveAll(filepath.Join(workflowDir, "license.yaml")))
 	must.Succeed(os.RemoveAll(filepath.Join(workflowDir, "spell.yaml")))

diff --git a/internal/ghworkflow/workflow_codeql.go b/internal/ghworkflow/workflow_codeql.go
@@ -14,14 +14,16 @@
 package ghworkflow
 
 import (
+	"strings"
+
 	"github.com/sapcc/go-makefile-maker/internal/core"
 )
 
 func codeQLWorkflow(cfg core.Configuration) {
 	ghwCfg := cfg.GitHubWorkflow
 	w := newWorkflow("CodeQL", ghwCfg.Global.DefaultBranch, nil)
 
-	if w.deleteIf((ghwCfg.SecurityChecks.Enabled == nil || *ghwCfg.SecurityChecks.Enabled) && !ghwCfg.IsSelfHostedRunner) {
+	if w.deleteIf((ghwCfg.SecurityChecks.Enabled == nil || *ghwCfg.SecurityChecks.Enabled)) {
 		return
 	}
 
@@ -33,21 +35,34 @@ func codeQLWorkflow(cfg core.Configuration) {
 	w.On.PullRequest.Branches = []string{ghwCfg.Global.DefaultBranch}
 	w.On.Schedule = []cronExpr{{Cron: "00 07 * * 1"}} // every Monday at 07:00 AM
 
+	var (
+		initAction    = core.CodeqlInitAction
+		buildAction   = core.CodeqlAutobuildAction
+		analyzeAction = core.CodeqlAnalyzeAction
+	)
+
+	if ghwCfg.IsSelfHostedRunner {
+		initAction = strings.ReplaceAll(initAction, "github/", "Security-Testing/")
+		buildAction = strings.ReplaceAll(buildAction, "github/", "Security-Testing/")
+		analyzeAction = strings.ReplaceAll(analyzeAction, "github/", "Security-Testing/")
+	}
+
 	j := baseJobWithGo("Analyze", cfg)
 	j.addStep(jobStep{
 		Name: "Initialize CodeQL",
-		Uses: core.CodeqlInitAction,
+		Uses: initAction,
 		With: map[string]any{
 			"languages": "go",
+			"queries":   "security-extended",
 		},
 	})
 	j.addStep(jobStep{
 		Name: "Autobuild",
-		Uses: core.CodeqlAutobuildAction,
+		Uses: buildAction,
 	})
 	j.addStep(jobStep{
 		Name: "Perform CodeQL Analysis",
-		Uses: core.CodeqlAnalyzeAction,
+		Uses: analyzeAction,
 	})
 	w.Jobs = map[string]job{"analyze": j}