From f7c787960d7c6ad298589e51bc2f1c402273af38 Mon Sep 17 00:00:00 2001 From: Build System Date: Tue, 7 Jul 2026 11:09:44 +0200 Subject: [PATCH] ci: re-add CodeQL workflow on hosted runner Repo is public, so CodeQL analysis is free again. Runs on ubuntu-latest (GitHub-hosted) to keep the self-hosted pool free. Monthly cron staggered per repo like ci-deep, plus push/PR to the default branch and manual dispatch. README gains the CodeQL badge. --- .github/workflows/codeql.yml | 109 +++++++++++++++++++++++++++++++++++ README.md | 1 + 2 files changed, 110 insertions(+) create mode 100644 .github/workflows/codeql.yml diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 0000000..bf48640 --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,109 @@ +name: CodeQL + +# Standalone CodeQL workflow (split out of build-test.yml so security analysis +# evolves independently of the build/test pipeline and shows as its own +# PR check). Third-party actions pinned to commit SHAs — see build-test.yml header. + +# nginx version is resolved at run time (see "Resolve latest mainline nginx" +# step) rather than pinned, so this analysis tracks current mainline. + +env: + FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true + NGINX_VERSION: "" + +on: + push: + branches: [master, main, dev] + pull_request: + branches: [master, main] + schedule: + # Monthly, day 1 @ 04:47 UTC (staggered per repo like ci-deep). + - cron: "47 4 1 * *" + workflow_dispatch: {} + +concurrency: + group: codeql-${{ github.ref }} + cancel-in-progress: true + +permissions: + contents: read + +jobs: + codeql: + name: CodeQL + runs-on: ubuntu-latest + timeout-minutes: 30 + permissions: + contents: read + security-events: write + + steps: + - name: Checkout module + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 + + - name: Resolve latest mainline nginx + run: | + set -euo pipefail + ver=$(curl -fsSL https://nginx.org/en/download.html \ + | grep -oP 'nginx-\K[0-9]+\.[0-9]+\.[0-9]+(?=\.tar\.gz)' \ + | sort -V | tail -1) + if [ -z "$ver" ]; then + echo "::error::could not resolve mainline nginx version from nginx.org" + exit 1 + fi + echo "Resolved nginx mainline: $ver" + echo "NGINX_VERSION=$ver" >> "$GITHUB_ENV" + + - name: Install build dependencies + run: | + sudo apt-get update + sudo apt-get install -y build-essential pkg-config libzstd-dev \ + libpcre2-dev zlib1g-dev wget + + - name: Cache nginx source tarball + id: nginx-tarball + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 + with: + path: nginx-${{ env.NGINX_VERSION }}.tar.gz + key: nginx-src-${{ env.NGINX_VERSION }} + + - name: Download nginx source tarball + if: steps.nginx-tarball.outputs.cache-hit != 'true' + run: wget -q "https://nginx.org/download/nginx-${NGINX_VERSION}.tar.gz" + + - name: Initialize CodeQL + uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4 + with: + languages: c-cpp + queries: security-extended + paths: | + filter + static + *.c + *.h + paths-ignore: | + nginx-* + + - name: Build module sources for CodeQL + run: | + tar -xzf "nginx-${NGINX_VERSION}.tar.gz" + cd "nginx-${NGINX_VERSION}" + # --add-module (static) compiles the zstd module objects INTO the + # nginx binary, so a full `make` is what the CodeQL tracer sees. + # `make modules` only builds --add-dynamic-module .so targets and + # leaves the static add-module untouched, which is why CodeQL + # reported "no source code seen during build". Do not redirect + # configure to /dev/null — a silent configure failure would also + # produce an empty CodeQL database. + ./configure \ + --with-compat \ + --with-debug \ + --with-cc-opt="-DZSTD_STATIC_LINKING_ONLY $(pkg-config --cflags libzstd zlib libpcre2-8)" \ + --with-ld-opt="$(pkg-config --libs libzstd zlib libpcre2-8)" \ + --add-module="$GITHUB_WORKSPACE" + make -j"$(nproc)" + + - name: Perform CodeQL analysis + uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4 + with: + category: "/language:c-cpp" diff --git a/README.md b/README.md index 3c7f953..cab9995 100644 --- a/README.md +++ b/README.md @@ -3,6 +3,7 @@ [![Fuzzing](https://github.com/myguard-labs/nginx-zstd-module/actions/workflows/fuzzing.yml/badge.svg)](https://github.com/myguard-labs/nginx-zstd-module/actions/workflows/fuzzing.yml) [![Valgrind](https://github.com/myguard-labs/nginx-zstd-module/actions/workflows/valgrind.yml/badge.svg)](https://github.com/myguard-labs/nginx-zstd-module/actions/workflows/valgrind.yml) [![CI Deep](https://github.com/myguard-labs/nginx-zstd-module/actions/workflows/ci-deep.yml/badge.svg)](https://github.com/myguard-labs/nginx-zstd-module/actions/workflows/ci-deep.yml) +[![CodeQL](https://github.com/myguard-labs/nginx-zstd-module/actions/workflows/codeql.yml/badge.svg)](https://github.com/myguard-labs/nginx-zstd-module/actions/workflows/codeql.yml) 📖 **Background reading:** - [zstd nginx module: what it does, bugs fixed](https://deb.myguard.nl/2026/05/zstd-nginx-module-what-it-does-bugs-fixed/)