eclipse-score · FScholPer · Dec 4, 2025 · Dec 4, 2025 · Dec 4, 2025 · Dec 4, 2025
@@ -0,0 +1,106 @@
+# *******************************************************************************
+# Copyright (c) 2025 Contributors to the Eclipse Foundation
+#
+# See the NOTICE file(s) distributed with this work for additional
+# information regarding copyright ownership.
+#
+# This program and the accompanying materials are made available under the
+# terms of the Apache License Version 2.0 which is available at
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# SPDX-License-Identifier: Apache-2.0
+# *******************************************************************************
+
+# Workflow configuration for S-CORE CI - Release Check
+# This workflow runs Bazel build and test when triggered by tag creation.
+
+name: "CodeQL Advanced"
+
+on:
+  pull_request:
+    types: [opened, reopened, synchronize]
+  push:
+    branches:
+      - main
+  merge_group:
+    types: [checks_requested]
+
+#jobs:
+#  analyze:
+#    uses: eclipse-score/cicd-workflows/.github/workflows/codeql.yml@main
+#    with:
+#      build-script: |
+#        bazel build --config bl-x86_64-linux -- //score/...
+
+#    permissions:
+#      security-events: write
+#      packages: read
+#      actions: read
+#      contents: read
+
+jobs:
+  analyze:
+    name: Analyze (${{ matrix.language }})
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      packages: read
+      actions: read
+      contents: read
+
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - language: c-cpp
+            build-mode: manual  
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      # Initializes the CodeQL tools for scanning.
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v4
+        with:
+          languages: ${{ matrix.language }}
+          build-mode: ${{ matrix.build-mode }}
+          packs: codeql/misra-cpp-coding-standards
+          dependency-caching: true
+        env: 
+          CODEQL_ACTION_DEBUG: true
+
+      - if: matrix.build-mode == 'manual'
+        shell: bash
+        run: |
+          # Clean Bazel cache to ensure a fresh build that CodeQL can trace.
+          # This is crucial as Bazel often uses cached results, which CodeQL cannot observe.
+          bazel clean --expunge
+
+          # Build using specific Bazel flags to help CodeQL detect the build.
+          # --spawn_strategy=local: Ensures local compilation, not distributed.
+          # --nouse_action_cache: Prevents using action cache, forcing recompilation.
+          # --noremote_accept_cached, --noremote_upload_local_results: Avoids remote caching.
+          # --disk_cache=: Disables disk cache.
+          bazel build -j 4 --config bl-x86_64-linux  \
+            --spawn_strategy=local \
+            --nouse_action_cache \
+            --noremote_accept_cached \
+            --noremote_upload_local_results \
+            --disk_cache= \
+            //score/...
+
+          # Shut down Bazel server processes after the build.
+          # This ensures future build commands start in a clean Bazel server process without CodeQL attached.
+          bazel shutdown
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v4
+        with:
+          category: "/language:${{matrix.language}}"
+          output: sarif-results.sarif
+
+      - name: Upload Artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: sarif-results.sarif
+          path: sarif-results.sarif