diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 0000000000..deaefbb332 --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,90 @@ +name: "CodeQL Advanced Analysis" + +on: + workflow_dispatch: + pull_request: + branches: + - amd-staging + paths-ignore: + - '*.md' + - 'source/docs/**' + - 'CODEOWNERS' + + push: + branches: + - amd-staging + paths-ignore: + - '*.md' + - 'source/docs/**' + - 'CODEOWNERS' + +env: + ROCM_PATH: "/opt/rocm" + GPU_TARGETS: "gfx900 gfx906 gfx908 gfx90a gfx940 gfx941 gfx942 gfx1030 gfx1100 gfx1101 gfx1102" + PATH: "/usr/bin:$PATH" + EXCLUDED_PATHS: "external /tmp/build/external" + +jobs: + analyze: + name: Analyze (${{ matrix.language }}) + # Runner size impacts CodeQL analysis time. To learn more, please see: + # - https://gh.io/recommended-hardware-resources-for-running-codeql + # - https://gh.io/supported-runners-and-hardware-resources + # - https://gh.io/using-larger-runners (GitHub.com only) + # Consider using larger runners or machines with greater resources for possible analysis time improvements. + runs-on: gpuless-emu-runner-set + permissions: + # required for all workflows + security-events: write + + # required to fetch internal or private CodeQL packs + packages: read + + # only required for workflows in private repositories + actions: read + contents: read + + strategy: + fail-fast: false + matrix: + include: + - language: cpp + build-mode: manual + - language: python + build-mode: none + - language : actions + build-mode: none + steps: + - uses: actions/checkout@v4 + - name: Install requirements + timeout-minutes: 10 + shell: bash + run: | + git config --global --add safe.directory '*' + apt-get update + apt-get install -y build-essential cmake g++-11 g++-12 python3-pip libdw-dev rccl-dev rccl-unittests + update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-11 10 --slave /usr/bin/g++ g++ /usr/bin/g++-11 --slave /usr/bin/gcov gcov /usr/bin/gcov-11 + update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-12 20 --slave /usr/bin/g++ g++ /usr/bin/g++-12 --slave /usr/bin/gcov gcov /usr/bin/gcov-12 + python3 -m pip install -r requirements.txt + + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: ${{ matrix.language }} + build-mode: ${{ matrix.build-mode }} + queries: security-extended + + - name: Configure and Build + timeout-minutes: 30 + shell: bash + run: | + cmake -B /tmp/build -DCMAKE_PREFIX_PATH=/opt/rocm -DPython3_EXECUTABLE=$(which python3) . + cmake --build /tmp/build --target all --parallel 16 + rm -rf ${EXCLUDED_PATHS} + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v3 + with: + category: "/language:${{matrix.language}}"