1+ # Workflow name as shown in the GitHub Actions UI
12name : " CodeQL"
23
4+ # Define when this workflow should run
35on :
6+ # Run CodeQL analysis on every push to the main branch
47 push :
58 branches : [ "main" ]
9+
10+ # Run CodeQL analysis for pull requests targeting main
611 pull_request :
712 branches : [ "main" ]
13+
14+ # Allow the workflow to be triggered manually from the Actions tab
815 workflow_dispatch :
916
1017# DESIGN NOTES
1118# ------------
12- # 1) Split jobs by language to avoid coupling:
13- # - Go can usually be analyzed without complex build tooling.
14- # - C/C++ CodeQL benefits from observing *actual* compilation commands.
19+ # This repository contains:
20+ # - Go code (the "trice" tool)
21+ # - C/C++ code (the embedded/library/examples)
22+ #
23+ # CodeQL works best if it can observe real compiler invocations for C/C++.
24+ # The previous C/C++ CodeQL run failed because:
25+ # 1) arm-none-eabi-gcc was not installed on ubuntu-latest
26+ # 2) some example build scripts call `trice` (Go tool), but `trice` was not on PATH
1527#
16- # 2) Avoid running ./testAll.sh inside CodeQL:
17- # testAll.sh is a full QA pipeline (formatting, markdown linting, link checks,
18- # coverage, ID regeneration, cross-toolchains). That increases runtime and
19- # failure surface and can cause C/C++ builds to be skipped depending on
20- # tool availability on the runner.
28+ # Therefore, this workflow:
29+ # - Upgrades CodeQL Action from v3 to v4 (v3 is scheduled for deprecation in 2026)
30+ # - Splits analysis into two independent jobs (Go and C/C++)
31+ # - Uses build-mode: manual for C/C++ and runs your known-good build scripts explicitly
32+ # - Installs the ARM embedded toolchain + newlib headers on the Ubuntu runner
33+ # - Builds/installs `trice` before running the C/C++ build scripts that require it
2134#
22- # 3) Instead, run the build scripts that actually compile the C/C++ targets.
23- # This provides CodeQL with clean, deterministic compilation observability.
35+ # Rationale for NOT calling ./testAll.sh in CodeQL:
36+ # - testAll.sh is a full QA pipeline (formatting, markdown linting, link checks, coverage, ID regeneration,
37+ # optional cross-toolchain checks, etc.). That increases runtime and failure surface for CodeQL.
38+ # - CodeQL only needs a build that compiles the C/C++ translation units of interest.
2439
2540jobs :
2641 analyze-go :
42+ # Job name as displayed in GitHub Actions
2743 name : " Analyze (CodeQL) - Go"
44+
45+ # Use the latest Ubuntu runner provided by GitHub
2846 runs-on : ubuntu-latest
2947
48+ # Required permissions for uploading CodeQL results to the Security tab
3049 permissions :
3150 security-events : write
3251 actions : read
3352 contents : read
3453
3554 steps :
55+ # Step 1: Check out the repository so CodeQL can access the source code
3656 - name : Checkout repository
3757 uses : actions/checkout@v4
3858
59+ # Step 2: Set up Go for deterministic tooling
60+ # - "stable" follows the current stable Go release on GitHub Actions runners.
61+ # - If you need strict reproducibility, pin a specific version (e.g. "1.23.x").
62+ - name : Set up Go
63+ uses : actions/setup-go@v5
64+ with :
65+ go-version : stable
66+
67+ # Step 3: Initialize the CodeQL analysis environment (v4)
3968 - name : Initialize CodeQL (Go)
4069 uses : github/codeql-action/init@v4
4170 with :
71+ # Analyze Go source code
4272 languages : go
43- # Optional: broader queries
73+
74+ # Optional query selection:
75+ # - security-and-quality: common default
76+ # - security-extended: broader security coverage
4477 # queries: security-and-quality
4578
46- # Optional: build the trice tool exactly as you do locally .
47- # If buildTriceTool.sh expects extra tooling, add it here .
48- - name : Build trice tool (optional )
79+ # Step 4 ( Optional but recommended) : build the Go tool in the same way as your local workflow .
80+ # This helps ensure CodeQL sees the same module/build constraints used in CI .
81+ - name : Build trice tool (Go )
4982 shell : bash
5083 run : |
84+ set -euo pipefail
5185 chmod +x ./buildTriceTool.sh
5286 ./buildTriceTool.sh
5387
54- # Alternatively (or additionally), run tests:
55- # - name: Go tests
56- # run: go test ./...
88+ # If buildTriceTool.sh installs into $HOME/go/bin, ensure it is on PATH for later steps.
89+ echo "$HOME/go/bin" >> "$GITHUB_PATH"
90+
91+ # Sanity check
92+ command -v trice
93+ trice version
5794
95+ # Step 5: Run the CodeQL analysis and upload results to GitHub
96+ # Findings appear under: Security -> Code scanning alerts
5897 - name : Perform CodeQL Analysis (Go)
5998 uses : github/codeql-action/analyze@v4
6099
61100 analyze-cpp :
101+ # Job name as displayed in GitHub Actions
62102 name : " Analyze (CodeQL) - C/C++"
103+
104+ # Use the latest Ubuntu runner provided by GitHub
63105 runs-on : ubuntu-latest
64106
107+ # Required permissions for uploading CodeQL results to the Security tab
65108 permissions :
66109 security-events : write
67110 actions : read
68111 contents : read
69112
70113 steps :
114+ # Step 1: Check out the repository so CodeQL can access the source code
115+ # Keep submodules if your examples/vendor code relies on them.
71116 - name : Checkout repository (with submodules)
72117 uses : actions/checkout@v4
73118 with :
74119 submodules : recursive
75120
121+ # Step 2: Initialize the CodeQL analysis environment (v4)
122+ #
123+ # For C/C++ we use "manual" build mode because CodeQL autobuild previously failed,
124+ # and because manual mode ensures CodeQL can observe the exact compile commands
125+ # produced by your scripts.
76126 - name : Initialize CodeQL (C/C++)
77127 uses : github/codeql-action/init@v4
78128 with :
79129 languages : cpp
80- # Manual mode: we provide the build commands explicitly.
81130 build-mode : manual
82- # Optional: query suite
131+
132+ # Optional query selection:
83133 # queries: security-and-quality
84134
85- # Install baseline build tooling.
86- # Add packages as needed to satisfy your scripts.
87- - name : Install build dependencies
135+ # Step 3: Install build dependencies on ubuntu-latest
136+ #
137+ # Your scripts invoke arm-none-eabi-gcc for cross-compilation and also expect newlib headers.
138+ # - gcc-arm-none-eabi provides arm-none-eabi-gcc
139+ # - binutils-arm-none-eabi provides linker/objcopy/size tools commonly used by Makefiles
140+ # - libnewlib-arm-none-eabi provides standard headers (e.g., stdlib.h) for embedded builds
141+ #
142+ # If later logs show missing tools (cmake, ninja, clang, etc.), extend this list.
143+ - name : Install build dependencies (ARM toolchain + newlib)
88144 run : |
89145 sudo apt-get update
90- sudo apt-get install -y build-essential make
146+ sudo apt-get install -y \
147+ build-essential \
148+ make \
149+ gcc-arm-none-eabi \
150+ binutils-arm-none-eabi \
151+ libnewlib-arm-none-eabi
152+
153+ # Step 4: Provide `trice` on PATH for scripts that call it
154+ #
155+ # Some example build scripts call:
156+ # trice_cleanIDs_in_examples_and_test_folder.sh
157+ # trice_insertIDs_in_examples_and_test_folder.sh
158+ # and those scripts expect the `trice` executable to be available.
159+ #
160+ # We build/install trice here (again) because jobs are isolated: the Go job's artifacts/PATH
161+ # do not automatically carry over to the C/C++ job.
162+ - name : Set up Go (needed for trice tool)
163+ uses : actions/setup-go@v5
164+ with :
165+ go-version : stable
91166
92- # Manual build step: run only the scripts that compile C/C++.
93- # Start minimal; add toolchain-specific scripts only if needed.
167+ - name : Build and install trice tool into PATH
168+ shell : bash
169+ run : |
170+ set -euo pipefail
171+ chmod +x ./buildTriceTool.sh
172+ ./buildTriceTool.sh
173+ echo "$HOME/go/bin" >> "$GITHUB_PATH"
174+
175+ # Sanity check
176+ command -v trice
177+ trice version
178+
179+ # Step 5: Manual build step (THIS REPLACES AUTOBUILD FOR C/C++)
180+ #
181+ # CodeQL will observe the compilation happening here and use it to create the database.
182+ #
183+ # Start with the two scripts that typically cover core conditional compilation paths:
184+ # - TRICE_OFF
185+ # - TRICE_ON
186+ #
187+ # If you later decide to include additional configurations (e.g., L432 all configs),
188+ # add them here once they are stable on ubuntu-latest.
94189 - name : Build C/C++ targets (manual)
95190 shell : bash
96191 run : |
97192 set -euo pipefail
193+
98194 chmod +x \
99195 ./examples/buildAllTargets_TRICE_OFF.sh \
100196 ./examples/buildAllTargets_TRICE_ON.sh
@@ -105,12 +201,13 @@ jobs:
105201
106202 # Optional (enable later if it works reliably on ubuntu-latest):
107203 # chmod +x ./examples/L432_inst/all_configs_build.sh
108- # ./examples/L432_inst/all_configs_build.sh
204+ # (cd ./examples/L432_inst && . /all_configs_build.sh)
109205 #
110206 # Optional clang-based build (enable later if desired):
111207 # sudo apt-get install -y clang
112208 # chmod +x ./examples/G0B1_inst/build_with_clang.sh
113209 # (cd ./examples/G0B1_inst && ./build_with_clang.sh)
114210
211+ # Step 6: Run the CodeQL analysis and upload results to GitHub
115212 - name : Perform CodeQL Analysis (C/C++)
116213 uses : github/codeql-action/analyze@v4
0 commit comments