diff --git a/.github/workflows/Code-Scanning.yml b/.github/workflows/Code-Scanning.yml index 232545ada..393f69dff 100644 --- a/.github/workflows/Code-Scanning.yml +++ b/.github/workflows/Code-Scanning.yml @@ -1,5 +1,8 @@ # This workflow runs the latest CodeQL CLI and checks against CodeQL's Cpp library. # This is the source for the GitHub Security Code Scanning job. +# On push/schedule: samples are split across 4 parallel shards to reduce wall-clock +# time while keeping ThrottleLimit 1 per shard (required for accurate CodeQL tracing). +# On pull_request: only changed samples are built in a single job (no sharding needed). name: "CodeQL Analysis" @@ -24,8 +27,12 @@ on: workflow_dispatch: jobs: - analyze: - name: Analysis + # ----------------------------------------------------------------------- + # PR job: single runner, builds only changed samples + # ----------------------------------------------------------------------- + analyze-pr: + name: Analysis (PR) + if: github.event_name == 'pull_request' runs-on: windows-latest permissions: actions: read @@ -35,43 +42,96 @@ jobs: strategy: fail-fast: false matrix: - include: - - language: c-cpp - build-mode: manual + language: [c-cpp] + build-mode: [manual] steps: - name: Checkout repository uses: actions/checkout@v4 with: submodules: 'recursive' + - name: Install Nuget Packages run: nuget restore .\packages.config -PackagesDirectory .\packages\ + - name: Get changed files id: get-changed-files uses: tj-actions/changed-files@v41 with: separator: "," + - name: Initialize CodeQL - uses: github/codeql-action/init@v3 + uses: github/codeql-action/init@v4 with: languages: ${{ matrix.language }} build-mode: ${{ matrix.build-mode }} config-file: microsoft/Windows-Driver-Developer-Supplemental-Tools/config/codeql-config.yml@development - - if: github.event_name == 'pull_request' + + - name: Build changed samples (PR) run: | $changedFiles = "${{ steps.get-changed-files.outputs.all_changed_files }}".Split(',') .\.github\scripts\Build-ChangedSamples.ps1 -ChangedFiles $changedFiles -Verbose - env: + env: WDS_Configuration: Debug WDS_Platform: x64 WDS_WipeOutputs: ${{ true }} - - if: github.event_name == 'push' - run: .\Build-Samples.ps1 -Verbose -ThrottleLimit 1 + + - name: Perform CodeQL analysis + uses: github/codeql-action/analyze@v4 + with: + category: "/language:${{ matrix.language }}" + + # ----------------------------------------------------------------------- + # Push/schedule job: 4 parallel shards, each builds a slice of all samples + # ----------------------------------------------------------------------- + analyze: + name: Analysis (shard ${{ matrix.shard }} of 4) + if: github.event_name != 'pull_request' + runs-on: windows-latest + permissions: + actions: read + contents: read + security-events: write + + strategy: + fail-fast: false + matrix: + language: [c-cpp] + build-mode: [manual] + shard: [1, 2, 3, 4] + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + with: + submodules: 'recursive' + + - name: Install Nuget Packages + run: nuget restore .\packages.config -PackagesDirectory .\packages\ + + - name: Initialize CodeQL + uses: github/codeql-action/init@v4 + with: + languages: ${{ matrix.language }} + build-mode: ${{ matrix.build-mode }} + config-file: microsoft/Windows-Driver-Developer-Supplemental-Tools/config/codeql-config.yml@development + + - name: Build sample shard ${{ matrix.shard }} of 4 + run: | + $totalShards = 4 + $shardIndex = ${{ matrix.shard }} - 1 + $allSamples = .\ListAllSamples.ps1 + $shardSize = [Math]::Ceiling($allSamples.Count / $totalShards) + $start = $shardIndex * $shardSize + $mySamples = $allSamples | Select-Object -Skip $start -First $shardSize + Write-Output "Shard ${{ matrix.shard }}/$totalShards — building $($mySamples.Count) of $($allSamples.Count) samples (indices $start..$($start + $mySamples.Count - 1))" + .\Build-Samples.ps1 -Samples $mySamples -Verbose -ThrottleLimit 1 env: WDS_Configuration: Debug WDS_Platform: x64 WDS_WipeOutputs: ${{ true }} + - name: Perform CodeQL analysis - uses: github/codeql-action/analyze@v3 + uses: github/codeql-action/analyze@v4 with: - category: "/language:${{matrix.language}}" + category: "/language:${{ matrix.language }}/shard-${{ matrix.shard }}"