mirror of
https://github.com/jemalloc/jemalloc.git
synced 2026-07-18 14:47:18 +03:00
57 lines
1.9 KiB
YAML
57 lines
1.9 KiB
YAML
name: "CodeQL"
|
|
|
|
# CodeQL static analysis for C/C++. Runs on GitHub's x86_64 runners with full
|
|
# network access, so it works even when a contributor's devserver can't reach
|
|
# github.com.
|
|
#
|
|
# Query suite: "security-and-quality" — GitHub's most comprehensive built-in
|
|
# suite. It is a superset of "security-extended" (so it still includes
|
|
# cpp/uncontrolled-arithmetic, the CWE-190/191 analog to the Veracode integer
|
|
# overflow/underflow findings on sz.h) and additionally pulls in the
|
|
# maintainability and reliability queries that high-quality repositories use to
|
|
# catch a broader class of bugs.
|
|
#
|
|
# Build config: --enable-debug --enable-prof --enable-cxx. Debug makes
|
|
# jemalloc's assert()s live (config_debug becomes a true const, not a no-op), so
|
|
# CodeQL credits them as guards and trusts the invariants they document; prof
|
|
# and cxx compile the profiling-only and C++ (operator new/delete) sources so
|
|
# those are analyzed too. This config is already built/tested in linux-ci.yml.
|
|
|
|
on:
|
|
push:
|
|
branches: [ dev, ci_travis ]
|
|
pull_request:
|
|
branches: [ dev ]
|
|
|
|
jobs:
|
|
analyze:
|
|
name: Analyze C/C++
|
|
runs-on: ubuntu-latest
|
|
permissions:
|
|
security-events: write # required to upload code-scanning results
|
|
contents: read
|
|
actions: read
|
|
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Install build deps
|
|
run: sudo apt-get update && sudo apt-get install -y autoconf
|
|
|
|
- name: Initialize CodeQL
|
|
uses: github/codeql-action/init@v3
|
|
with:
|
|
languages: c-cpp
|
|
queries: security-and-quality
|
|
|
|
- name: Build jemalloc
|
|
run: |
|
|
./autogen.sh
|
|
./configure --enable-debug --enable-prof --enable-cxx
|
|
make -j"$(nproc)"
|
|
|
|
- name: Perform CodeQL Analysis
|
|
uses: github/codeql-action/analyze@v3
|
|
with:
|
|
category: "/language:c-cpp"
|