Fix code scanning alert no. 213: Use of potentially dangerous function #627
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build | |
| on: | |
| push: | |
| branches: main | |
| pull_request: | |
| branches: main | |
| permissions: read-all | |
| jobs: | |
| dependabot-merge: | |
| name: Merge Dependabot | |
| runs-on: ubuntu-latest | |
| needs: [] | |
| steps: | |
| - uses: ahmadnassri/action-dependabot-auto-merge@45fc124d949b19b6b8bf6645b6c9d55f4f9ac61a | |
| if: ${{ github.event_name == 'pull_request' }} | |
| with: | |
| target: minor | |
| github-token: ${{ secrets.GITHUB_TOKEN }} | |
| build: | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| os: [ubuntu, windows] | |
| arch: [x86, x64, arm64] | |
| tls: [schannel, openssl] | |
| link: [static, shared] | |
| exclude: | |
| - os: ubuntu | |
| tls: schannel | |
| - os: ubuntu | |
| arch: x86 | |
| permissions: | |
| # required for all workflows | |
| security-events: write | |
| # required to fetch internal or private CodeQL packs | |
| packages: read | |
| # only required for workflows in private repositories | |
| actions: read | |
| contents: read | |
| name: Build | |
| runs-on: ${{ matrix.os }}-latest | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f | |
| with: | |
| egress-policy: audit | |
| - name: Checkout repository | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 | |
| with: | |
| submodules: 'recursive' | |
| - name: Install Perl | |
| if: runner.os == 'Windows' | |
| uses: shogo82148/actions-setup-perl@98dfedee230bcf1ee68d5b021931fc8d63f2016e | |
| with: | |
| perl-version: '5.34' | |
| - name: Install NASM | |
| if: runner.os == 'Windows' | |
| uses: ilammy/setup-nasm@13cbeb366c45c4379d3478cdcbadd8295feb5028 | |
| - name: Install libnuma-dev | |
| if: runner.os == 'Ubuntu' | |
| run: sudo apt-get install -y libnuma-dev | |
| - name: Initialize CodeQL | |
| if: ${{ (matrix.os == 'ubuntu') && (matrix.arch == 'x64') && (matrix.link == 'shared') }} | |
| uses: github/codeql-action/init@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 | |
| with: | |
| languages: c-cpp | |
| build-mode: manual | |
| config: | | |
| queries: | |
| - uses: security-and-quality # (very verbose) | |
| - name: Build | |
| shell: pwsh | |
| run: ./build.ps1 -Arch ${{ matrix.arch }} -Tls ${{ matrix.tls }} -Link ${{ matrix.link }} -Install -BuildInstaller -Debug | |
| - name: Perform CodeQL Analysis | |
| if: ${{ (matrix.os == 'ubuntu') && (matrix.arch == 'x64') && (matrix.link == 'shared') }} | |
| uses: github/codeql-action/analyze@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 | |
| with: | |
| category: "/language:c-cpp" | |
| output: sarif-results | |
| upload: failure-only | |
| - name: Filter SARIF | |
| if: ${{ (matrix.os == 'ubuntu') && (matrix.arch == 'x64') && (matrix.link == 'shared') }} | |
| uses: advanced-security/filter-sarif@f3b8118a9349d88f7b1c0c488476411145b6270d | |
| with: | |
| patterns: -msquic/**/* | |
| input: sarif-results/cpp.sarif | |
| output: sarif-results/cpp.sarif | |
| - name: Upload SARIF | |
| if: ${{ (matrix.os == 'ubuntu') && (matrix.arch == 'x64') && (matrix.link == 'shared') }} | |
| uses: github/codeql-action/upload-sarif@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 | |
| with: | |
| sarif_file: sarif-results/cpp.sarif | |
| - name: Upload SARIF to Artifacts | |
| if: ${{ (matrix.os == 'ubuntu') && (matrix.arch == 'x64') && (matrix.link == 'shared') }} | |
| uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b | |
| with: | |
| name: sarif-results | |
| path: sarif-results | |
| - name: Upload | |
| uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b | |
| with: | |
| name: bin-${{ matrix.os }}-${{ matrix.arch }}-${{ matrix.tls }}-${{ matrix.link }} | |
| path: | | |
| build/bin/**/*.so | |
| build/bin/**/*.dll | |
| build/bin/**/quicreach | |
| build/bin/**/quicreach.exe | |
| build/bin/**/quicreach.msi | |
| - name: Test (Linux) | |
| if: runner.os == 'Linux' | |
| run: /usr/local/lib/quicreach outlook-evergreen.office.com,www.cloudflare.com,www.google.com --req-all --stats | |
| - name: Test (Windows, x64) | |
| if: ${{ runner.os == 'Windows' && matrix.arch == 'x64' }} | |
| run: | | |
| & 'C:/Program Files/quicreach/lib/quicreach' outlook-evergreen.office.com,www.cloudflare.com,www.google.com --req-all --stats | |
| - name: Test (Windows, x86) | |
| if: ${{ runner.os == 'Windows' && matrix.arch == 'x86' }} | |
| run: | | |
| & 'C:/Program Files (x86)/quicreach/lib/quicreach' outlook-evergreen.office.com,www.cloudflare.com,www.google.com --req-all --stats | |
| Complete: | |
| name: Complete | |
| if: always() | |
| needs: [build] | |
| runs-on: ubuntu-latest | |
| permissions: {} # No need for any permissions. | |
| steps: | |
| - name: Decide whether the needed jobs succeeded or failed | |
| uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe | |
| with: | |
| jobs: ${{ toJSON(needs) }} |