Initial Batch of Windows Filtering Platform Queries for Static Contracts #566
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Continuous integration action for the CodeQL components of this repo. | |
# This downloads the CodeQL CLI and then builds all the queries in the "windows-drivers" folder. | |
name: Build and Publish Windows CodeQL queries | |
on: | |
# Triggers the workflow on push or pull request events but only for the main and development branches | |
push: | |
branches: [ main, development ] | |
pull_request: | |
branches: [ main, development ] | |
# Allow manual scheduling | |
workflow_dispatch: | |
jobs: | |
build: | |
runs-on: windows-latest | |
permissions: | |
contents: read | |
packages: write | |
steps: | |
- name: Enable long git paths | |
shell: cmd | |
run: git config --global core.longpaths true | |
- name: Clone self (windows-driver-developer-supplemental-tools) | |
uses: actions/checkout@v4 | |
with: | |
path: . | |
fetch-depth: 0 | |
- name: CodeQL Download | |
run: | |
Invoke-WebRequest -Uri "https://github.com/github/codeql-cli-binaries/releases/download/v${{ vars.CODEQL_VERSION }}/codeql-win64.zip" -OutFile codeql-win64.zip; | |
Expand-Archive -Path codeql-win64.zip -DestinationPath .\codeql-zip -Force; | |
Move-Item -Path .\codeql-zip\codeql -Destination .\codeql-cli\ | |
- name: Install CodeQL pack dependencies | |
shell: cmd | |
run: | | |
pushd .\src | |
..\codeql-cli\codeql.cmd pack install | |
popd | |
- name: codeql version test | |
run: .\codeql-cli\codeql.exe version | |
- name: Build must-fix driver suite | |
shell: cmd | |
run: .\codeql-cli\codeql.cmd query compile --check-only windows_mustfix_partial.qls | |
- name: Build recommended driver suite | |
shell: cmd | |
run: .\codeql-cli\codeql.cmd query compile --check-only windows_recommended_partial.qls | |
- name: Build CA ported queries | |
shell: cmd | |
run: .\codeql-cli\codeql.cmd query compile --check-only ported_driver_ca_checks.qls | |
- name: Build all Windows queries | |
shell: cmd | |
run: .\codeql-cli\codeql.cmd query compile --check-only .\src | |
test-query-health: | |
runs-on: windows-latest | |
needs: build | |
permissions: | |
contents: read | |
packages: write | |
steps: | |
- name: Enable long git paths | |
shell: cmd | |
run: git config --global core.longpaths true | |
- name: Clone self (windows-driver-developer-supplemental-tools) | |
uses: actions/checkout@v4 | |
with: | |
path: . | |
fetch-depth: 0 | |
- name: CodeQL Download | |
run: | |
Invoke-WebRequest -Uri "https://github.com/github/codeql-cli-binaries/releases/download/v${{ vars.CODEQL_VERSION }}/codeql-win64.zip" -OutFile codeql-win64.zip; | |
Expand-Archive -Path codeql-win64.zip -DestinationPath .\codeql-zip -Force; | |
Move-Item -Path .\codeql-zip\codeql -Destination .\codeql-cli\ | |
- name: Install CodeQL pack dependencies | |
shell: cmd | |
run: | | |
pushd .\src | |
..\codeql-cli\codeql.cmd pack install | |
popd | |
- name: codeql version test | |
run: .\codeql-cli\codeql.exe version | |
- name: Setup Python | |
uses: actions/setup-python@v5 | |
with: | |
python-version: 3.11 | |
- name: Install Python Packages | |
run: | | |
python -m pip install --upgrade pip | |
pip install -r .\src\drivers\test\requirements.txt | |
- name: Add msbuild to PATH | |
uses: microsoft/setup-msbuild@v2 | |
- name: Run test script | |
shell: pwsh | |
env: | |
CONNECTION_STRING: ${{ secrets.CONNECTION_STRING }} | |
ACCOUNT_KEY: ${{ secrets.ACCOUNT_KEY }} | |
SHARE_NAME: ${{ secrets.SHARE_NAME }} | |
CONTAINER_NAME: ${{ secrets.CONTAINER_NAME }} | |
ACCOUNT_NAME: ${{ secrets.ACCOUNT_NAME }} | |
run: python src\drivers\test\build_create_analyze_test.py --codeql_path .\codeql-cli\codeql.exe --no_build --compare_results --connection_string "$env:CONNECTION_STRING" --share_name "$env:SHARE_NAME" --container_name "$env:CONTAINER_NAME" | |
test-codeql-latest-vs-current: | |
# Tests if the latest codeql version produces the same results as the current version. | |
runs-on: windows-latest | |
continue-on-error: true # Allow script to return non-zero exit code | |
needs: [build,test-query-health] | |
permissions: | |
contents: read | |
packages: write | |
steps: | |
- name: Enable long git paths | |
shell: cmd | |
run: git config --global core.longpaths true | |
- name: Clone self (windows-driver-developer-supplemental-tools) | |
uses: actions/checkout@v4 | |
with: | |
path: . | |
fetch-depth: 0 | |
- name: CodeQL Download | |
run: | |
Invoke-WebRequest -Uri "https://github.com/github/codeql-cli-binaries/releases/download/v${{ vars.CODEQL_LATEST_VERSION }}/codeql-win64.zip" -OutFile codeql-win64.zip; | |
Expand-Archive -Path codeql-win64.zip -DestinationPath .\codeql-zip -Force; | |
Move-Item -Path .\codeql-zip\codeql -Destination .\codeql-cli\ | |
- name: Install CodeQL pack dependencies | |
shell: cmd | |
run: | | |
pushd .\src | |
..\codeql-cli\codeql.cmd pack install | |
popd | |
- name: codeql version test | |
run: .\codeql-cli\codeql.exe version | |
- name: Setup Python | |
uses: actions/setup-python@v5 | |
with: | |
python-version: 3.11 | |
- name: Install Python Packages | |
run: | | |
python -m pip install --upgrade pip | |
pip install -r .\src\drivers\test\requirements.txt | |
- name: Add msbuild to PATH | |
uses: microsoft/setup-msbuild@v2 | |
- name: Run test script | |
shell: pwsh | |
env: | |
CONNECTION_STRING: ${{ secrets.CONNECTION_STRING }} | |
ACCOUNT_KEY: ${{ secrets.ACCOUNT_KEY }} | |
SHARE_NAME: ${{ secrets.SHARE_NAME }} | |
CONTAINER_NAME: ${{ secrets.CONTAINER_NAME }} | |
ACCOUNT_NAME: ${{ secrets.ACCOUNT_NAME }} | |
run: python src\drivers\test\build_create_analyze_test.py --codeql_path .\codeql-cli\codeql.exe --no_build --compare_results --connection_string "$env:CONNECTION_STRING" --share_name "$env:SHARE_NAME" | |
test-pack-version-update: | |
runs-on: windows-latest | |
needs: build | |
permissions: | |
contents: read | |
packages: write | |
steps: | |
- name: Enable long git paths | |
shell: cmd | |
run: git config --global core.longpaths true | |
- name: Clone self (windows-driver-developer-supplemental-tools) | |
uses: actions/checkout@v4 | |
with: | |
path: . | |
fetch-depth: 0 | |
- name: Check for changes to qlpack | |
shell: pwsh | |
run: | |
$qlpack_diff = git diff HEAD~1:src/qlpack.yml src/qlpack.yml; | |
$rec_diff = git diff HEAD~1:src/windows-driver-suites/windows_recommended_partial.qls src/windows-driver-suites/windows_recommended_partial.qls; | |
$mf_diff = git diff HEAD~1:src/windows-driver-suites/windows_mustfix_partial.qls src/windows-driver-suites/windows_mustfix_partial.qls; | |
if (!$qlpack_diff -and ($rec_diff -or $mf_diff)) { "Query suite file updated without updating qlpack version"; exit 1 } | |
$last_qlpack_commit = git log -n 1 --pretty=format:%H -- src/qlpack.yml; | |
$qlpack_changes =git show $last_qlpack_commit -- .\src\qlpack.yml; | |
$last_mf_commit = git log -n 1 --pretty=format:%H -- src/windows-driver-suites/windows_mustfix_partial.qls; | |
$last_rec_commit = git log -n 1 --pretty=format:%H -- src/windows-driver-suites/windows_recommended_partial.qls; | |
$commits_since_qlpack_change = [int](git rev-list --count HEAD...$last_qlpack_commit); | |
$commits_since_mf_change = [int](git rev-list --count HEAD...$last_mf_commit); | |
$commits_since_rec_change = [int](git rev-list --count HEAD...$last_rec_commit); | |
if ($commits_since_qlpack_change -gt $commits_since_mf_change) { "Mustfix query suite file modified without updating version"; exit 1 }; | |
if ($commits_since_qlpack_change -gt $commits_since_rec_change) {"Recommended query suite file modified without updating version"; exit 1 }; | |
try{$old_qlpack_version = [version]($qlpack_changes -match "-version").Substring(10);} catch {"Changed qlpack.yml without updating version"; exit 1 } | |
try{$new_qlpack_version = [version]($qlpack_changes -match "\+version").Substring(10);} catch {"Changed qlpack.yml without updating version"; exit 1 } | |
if ($new_qlpack_version -gt $old_qlpack_version) { exit 0 } else { "qlpack.yml version not incremented"; exit 1 } | |
test-create-dvl: | |
runs-on: windows-latest | |
needs: build | |
permissions: | |
contents: read | |
packages: write | |
steps: | |
- name: Enable long git paths | |
shell: cmd | |
run: git config --global core.longpaths true | |
- name: Clone self (windows-driver-developer-supplemental-tools) | |
uses: actions/checkout@v4 | |
with: | |
path: . | |
fetch-depth: 0 | |
- name: CodeQL Download | |
run: | |
Invoke-WebRequest -Uri "https://github.com/github/codeql-cli-binaries/releases/download/v${{ vars.CODEQL_VERSION }}/codeql-win64.zip" -OutFile codeql-win64.zip; | |
Expand-Archive -Path codeql-win64.zip -DestinationPath .\codeql-zip -Force; | |
Move-Item -Path .\codeql-zip\codeql -Destination .\codeql-cli\ | |
- name: Install CodeQL pack dependencies | |
shell: cmd | |
run: | | |
pushd .\src | |
..\codeql-cli\codeql.cmd pack install | |
popd | |
- name: Add msbuild to PATH | |
uses: microsoft/setup-msbuild@v2 | |
- name: Test DVL | |
run: src\drivers\test\dvl_tests\dvl_tests.ps1 | |
- name: Archive code coverage results | |
uses: actions/upload-artifact@v4 | |
with: | |
name: dvl-outputs | |
path: | | |
clean_results\*.* | |
mustfix_results\*.* | |
publish: | |
runs-on: windows-latest | |
needs: [build, test-pack-version-update, test-query-health] | |
permissions: | |
contents: read | |
packages: write | |
steps: | |
- name: Enable long git paths | |
shell: cmd | |
run: git config --global core.longpaths true | |
- name: Clone self (windows-driver-developer-supplemental-tools) | |
uses: actions/checkout@v4 | |
with: | |
path: . | |
fetch-depth: 0 | |
- name: CodeQL Download | |
run: | |
Invoke-WebRequest -Uri "https://github.com/github/codeql-cli-binaries/releases/download/v${{ vars.CODEQL_VERSION }}/codeql-win64.zip" -OutFile codeql-win64.zip; | |
Expand-Archive -Path codeql-win64.zip -DestinationPath .\codeql-zip -Force; | |
Move-Item -Path .\codeql-zip\codeql -Destination .\codeql-cli\ | |
- name: Install CodeQL pack dependencies | |
shell: cmd | |
run: | | |
pushd .\src | |
..\codeql-cli\codeql.cmd pack install | |
popd | |
- name: Publish New CodeQL Pack | |
shell: pwsh | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
run: | |
$build = git rev-parse --short HEAD; | |
$version =( Select-String .\src\qlpack.yml -Pattern "version").line; | |
$new_ver = "$version-alpha+$build"; | |
(Get-Content .\src\qlpack.yml).Replace($version, $new_ver) | Set-Content .\src\qlpack.yml; | |
.\codeql-cli\codeql.cmd pack publish --allow-prerelease ./src; |