add actions/workflows

Alvaro Muñoz · Alvaro Muñoz · commit 725f737de07d · 2023-09-14T18:59:28.000+02:00
diff --git a/.github/scripts/pr-compile.sh b/.github/scripts/pr-compile.sh
@@ -0,0 +1,48 @@
+#!/bin/bash
+set -euo pipefail
+
+PR_NUMBER=${1}
+LANGUAGE=${2}
+# to stop recompiling all queries if multiple files are modified
+LIBRARY_SCANNED=false
+
+echo "[+] Cloning CodeQL"
+gh repo clone github/codeql
+
+echo "[+] Compiling all queries in $LANGUAGE"
+gh codeql query compile \
+    --threads=0 --check-only \
+    --search-path=./codeql --additional-packs=./codeql:./codeql/misc \
+    "./$LANGUAGE/"
+
+for file in $(gh pr view "$PR_NUMBER" --json files --jq '.files.[].path'); do
+    if [[ ! -f "$file" ]]; then
+        continue
+    fi
+
+    # if the file is a query file .ql or .qll
+    if [[ "$file" == $LANGUAGE/**.ql ]]; then
+        echo "[+] Compiling $file (in $LANGUAGE)"
+
+        # compile the query
+        gh codeql query compile  \
+            --threads=0 --check-only \
+            --warnings=error \
+            --search-path=./codeql --additional-packs=./codeql:./codeql/misc \
+            "./$file"
+
+    # if lib folder is modified
+    elif [[ "$file" == $LANGUAGE/lib/* ]] && [[ $LIBRARY_SCANNED == false ]]; then
+        echo "[+] Libray changed, compiling all queries in $LANGUAGE"
+        gh codeql query compile \
+            --threads=0 --check-only \
+            --warnings=error \
+            --search-path=./codeql --additional-packs=./codeql:./codeql/misc \
+            "./$LANGUAGE/"
+        # set LIBRARY_SCANNED to true to prevent recompiling
+        LIBRARY_SCANNED=true
+
+    fi
+done
+
+echo "[+] Complete"
diff --git a/.github/scripts/pr-suites-packs.sh b/.github/scripts/pr-suites-packs.sh
@@ -0,0 +1,55 @@
+#!/bin/bash
+set -euo pipefail
+
+PR_NUMBER=${1}
+LANGUAGE=${2}
+PACK_COMPILED=false
+
+for file in $(gh pr view "$PR_NUMBER" --json files --jq '.files.[].path'); do
+    if [[ ! -f "$file" ]]; then
+        continue
+    fi
+
+    # suite folder 
+    if [[ "$file" == $LANGUAGE/suites/**.qls ]]; then
+        echo "[+] Compiling Suite: $file"
+        gh codeql resolve queries \
+            --search-path=./codeql \
+            --additional-packs=./codeql:./codeql/misc \
+            "$file"
+
+    # qlpack file and lock file
+    elif [[ "$file" == $LANGUAGE/qlpack.yml ]] || [[ "$file" == $LANGUAGE/codeql-pack.lock.yml ]]; then
+        if [[ "$PACK_COMPILED" == true ]]; then
+            continue
+        fi 
+        echo "[+] Compiling Pack: $LANGUAGE"
+        # install deps
+        gh codeql pack install "$LANGUAGE"
+        # compile / create pack
+        gh codeql pack create "$LANGUAGE"
+
+        # if the version of the pack is changed, comment in the PR
+        PUBLISHED_VERSION=$(gh api /orgs/advanced-security/packages/container/codeql-"$LANGUAGE"/versions --jq '.[0].metadata.container.tags[0]')
+        CURRENT_VERSION=$(grep version "$LANGUAGE"/qlpack.yml | awk '{print $2}')
+
+        if [ "$PUBLISHED_VERSION" != "$CURRENT_VERSION" ]; then
+            echo "[+] New version of pack detected: $PUBLISHED_VERSION (pub) != $CURRENT_VERSION (cur)"
+
+            comment="New version of pack \`advanced-security/codeql-$LANGUAGE\` will be created on merge: \`$PUBLISHED_VERSION\`->\`$CURRENT_VERSION\`"
+
+            if [[ ! $(gh pr view "$PR_NUMBER" --json comments --jq '.comments.[].body' | grep "$comment") ]]; then
+                echo "[+] Commenting on PR"
+                gh pr comment "$PR_NUMBER" \
+                    --body "$comment"
+
+            fi
+
+        fi
+        
+        PACK_COMPILED=true
+
+    fi
+done
+
+echo "[+] Complete"
diff --git a/.github/scripts/pr-tests.sh b/.github/scripts/pr-tests.sh
@@ -0,0 +1,69 @@
+#!/bin/bash
+set -euo pipefail
+
+PR_NUMBER=${1}
+LANGUAGE=${2}
+
+if [[ ! -d ./${LANGUAGE}/test/ ]]; then
+    echo "[!] No tests found for $LANGUAGE, skipping"
+    exit 0
+fi
+
+echo "[+] Cloning CodeQL"
+gh repo clone github/codeql
+
+echo "[+] Compiling all queries in $LANGUAGE"
+gh codeql query compile \
+    --threads=0 --check-only \
+    --search-path=./codeql --additional-packs=./codeql:./codeql/misc \
+    "./$LANGUAGE/"
+
+for file in $(gh pr view "$PR_NUMBER" --json files --jq '.files.[].path'); do
+    if [[ ! -f "$file" ]]; then
+        continue
+    fi
+
+    # if a change in the test folder is detected (only for the current language)
+    if [[ "$file" == $LANGUAGE/test/** ]]; then
+        echo "[+] Test $file changed"
+        TEST_DIR=$(dirname "$file")
+        # run tests in the folder the change occured in
+        gh codeql test run \
+            --additional-packs=./ --additional-packs=./codeql \
+            "$TEST_DIR"
+            
+    # if the files is a query file .ql or .qll
+    elif [[ "$file" == $LANGUAGE/**.ql ]] || [[ "$file" == $LANGUAGE/**.qll ]] ; then
+        echo "[+] Query $file changed (in $LANGUAGE)"
+
+        SRC_DIR=$(realpath --relative-to="./${LANGUAGE}/src" "$file")
+        TEST_DIR=./${LANGUAGE}/test/${SRC_DIR}
+        
+        if [[ -d "$TEST_DIR" ]]; then
+            echo "[+] Running tests for $file -> $TEST_DIR"
+            gh codeql test run \
+                --additional-packs=./ --additional-packs=./codeql \
+                "$TEST_DIR"
+
+        else
+            echo "[!] No tests found at $TEST_DIR"
+        fi
+    # if language lib folder is modified
+    elif [[ "$file" == $LANGUAGE/lib/** ]]; then
+        echo "[+] Library changed, running all tests in $LANGUAGE"
+        TEST_DIR=./${LANGUAGE}/test/
+
+        if [[ -d "$TEST_DIR" ]]; then
+            echo "[+] Running tests for $file -> $TEST_DIR"
+            gh codeql test run \
+                --additional-packs=./ --additional-packs=./codeql \
+                "$TEST_DIR"
+        else
+            echo "[!] No tests found for $file (in $LANGUAGE)"
+        fi
+    
+    fi
+
+done
+
+echo "[+] Complete"
