openttd/.github/workflows/codeql.yml

name: CodeQL

on:
#  push:
#    branches:
#    - master
#  pull_request:
#    # The branches below must be a subset of the branches above
#    branches:
#    - master
  workflow_dispatch:
    inputs:
      ref:
        description: 'Ref to build (for Pull Requests, use refs/pull/NNN/head)'
        required: true

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: ${{ github.ref != 'refs/heads/master' }}

jobs:
  analyze:
    name: Analyze
    runs-on: ubuntu-latest
    permissions:
      actions: read
      contents: read
      security-events: write

    steps:
    - name: Checkout
      if: github.event_name != 'workflow_dispatch'
      uses: actions/checkout@v3

    - name: Checkout (Manual)
      if: github.event_name == 'workflow_dispatch'
      uses: actions/checkout@v3
      with:
        ref: ${{ github.event.inputs.ref }}

    - name: Install dependencies
      run: |
        echo "::group::Update apt"
        sudo apt-get update
        echo "::endgroup::"

        echo "::group::Install dependencies"
        sudo apt-get install -y --no-install-recommends \
          liballegro4-dev \
          libcurl4-openssl-dev \
          libfontconfig-dev \
          libicu-dev \
          liblzma-dev \
          liblzo2-dev \
          libsdl2-dev \
          zlib1g-dev \
          # EOF
        echo "::endgroup::"
      env:
        DEBIAN_FRONTEND: noninteractive

    - name: Set number of make jobs
      run: |
        echo "MAKEFLAGS=-j$(nproc)" >> $GITHUB_ENV

    - name: Initialize CodeQL
      uses: github/codeql-action/init@v2
      with:
        languages: cpp
        config-file: ./.github/codeql/codeql-config.yml

    - name: Autobuild
      uses: github/codeql-action/autobuild@v2

    - name: Perform CodeQL Analysis
      uses: github/codeql-action/analyze@v2
      with:
        category: /language:cpp
        upload: False
        output: sarif-results

    - name: Filter out table & generated code
      uses: advanced-security/filter-sarif@v1
      with:
        patterns: |
          +**/*.*
          -**/table/*.*
          -**/generated/**/*.*
        input: sarif-results/cpp.sarif
        output: sarif-results/cpp.sarif

    - name: Upload results
      uses: github/codeql-action/upload-sarif@v2
      with:
        sarif_file: sarif-results/cpp.sarif