summaryrefslogtreecommitdiff
path: root/.github
AgeCommit message (Collapse)AuthorFilesLines
2024-03-04.github/workflows/codeql.yml: Update actions being deprecatedMichael Kubacki1-13/+24
Currently CodeQL runs have the following warnings: Node.js 16 actions are deprecated. Please update the following actions to use Node.js 20: actions/setup-python@v4, actions/upload-artifact@v3, actions/cache@v3. For more information see: https://github.blog/changelog/2023-09-22-github-actions-transitioning-from-node-16-to-node-20/. And: CodeQL Action v2 will be deprecated on December 5th, 2024. Please update all occurrences of the CodeQL Action in your workflow files to v3. For more information, see: https://github.blog/changelog/2024-01-12-code-scanning-deprecation-of-codeql-action-v2/ The first is resolved by updating the actions to the latest versions that were released to use Node.js 20. The second is specifically referring to the codeql-action/upload-sarif action which is at v2. This change updates all of the actions to the latest releases to prevent deprecated versions from continuing to be used. --- The following breaking change was noted in actions/upload-artifact that caused some related changes in the workflow: "Due to how Artifacts are created in this new version, it is no longer possible to upload to the same named Artifact multiple times. You must either split the uploads into multiple Artifacts with different names, or only upload once. Otherwise you will encounter an error." This workflow depended on that behavior previously to append multiple logs (e.g. setup log, update log, build log) to the same named artifact (named per package). These were appended after each operation so they are readily available if the operation failed and no further actions are run. Now the artifacts must be unique in name. The hyphenation comes in because edk2 further builds some packages with both architectures in a single build vs separate builds (e.g. IA32 and X64 vs IA32,X64). To uniquely name artifacts resulting from those builds, the architecture is also placed in the artifact name. For builds with multiple architectures the artifact name captures each architecture separated by a hyphen. Cc: Sean Brogan <sean.brogan@microsoft.com> Cc: Joey Vagedes <joey.vagedes@gmail.com> Cc: Michael D Kinney <michael.d.kinney@intel.com> Signed-off-by: Michael Kubacki <michael.kubacki@microsoft.com> Reviewed-by: Michael D Kinney <michael.d.kinney@intel.com>
2023-11-30.github/workflows/codeql.yml: Add emacs outputMichael Kubacki1-4/+16
Updates the workflow to also output files that can be loaded in emacs to show CodeQL issues (in addition to the existing SARIF output for standard SARIF viewers). The emacs files are in the SARIF zip file attached to each "CodeQL" run (https://github.com/tianocore/edk2/actions/workflows/codeql.yml). The file name ends with "-emacs.txt". An MdePkg example: "codeql-db-mdepkg-debug-0-emacs.txt". Cc: Joey Vagedes <joey.vagedes@gmail.com> Cc: Laszlo Ersek <lersek@redhat.com> Cc: Michael D Kinney <michael.d.kinney@intel.com> Cc: Sean Brogan <sean.brogan@microsoft.com> Signed-off-by: Michael Kubacki <michael.kubacki@microsoft.com> Acked-by: Michael D Kinney <michael.d.kinney@intel.com> Reviewed-by: Joey Vagedes <joey.vagedes@gmail.com>
2023-11-07.github/workflows/codeql.yml: Add CodeQL workflowMichael Kubacki1-0/+338
Adds a workflow to run CodeQL against all packages built in .pytool/CISettings.py. The following is done: 1. Determine which packages to build against. Those that support are managed by .pytool/CISettings.py will be selected. For each package: 2. Determine how to interact with the package. Such as whether `stuart_ci_setup` or `stuart_setup` should be used. 3. Perform supported Stuart steps for setup and update. 4. Discover the CodeQL plugin directory in the repo. 5. Attempt to load the CodeQL CLI specific to the host OS from a GitHub cache. 6. Perform the build. 7. Clean up some files after build to improve robustness. 8. Upload the CodeQL results (generated SARIF file) to GitHub Code Scanning. The results will be associated with the trigger of the workflow. After each step that can upload logs such as the setup, update, and build steps the logs are uploaded as an artifact to the workflow run. This allows easy debugging in case there's an error in the step. The SARIF file is also uploaded to the workflow run so it can be downloaded and analyzed. Cc: Sean Brogan <sean.brogan@microsoft.com> Cc: Michael D Kinney <michael.d.kinney@intel.com> Signed-off-by: Michael Kubacki <michael.kubacki@microsoft.com> Reviewed-by: Sean Brogan <sean.brogan@microsoft.com> Acked-by: Laszlo Ersek <lersek@redhat.com> Acked-by: Michael D Kinney <michael.d.kinney@intel.com>
2023-11-07Remove existing CodeQL infrastructureMichael Kubacki3-171/+0
CodeQL currently runs via the codeql-analysis.yml GitHub workflow which uses the `github/codeql-action/init@v2` action (pre-build) and the `github/codeql-action/analyze@v2` action (post-build) to setup the CodeQL environment and extract results. This infrastructure is removed in preparation for a new design that will directly run the CodeQL CLI as part of the build. This will allow CodeQL to be run locally as part of the normal build process with results that match 1:1 with CI builds. Cc: Sean Brogan <sean.brogan@microsoft.com> Cc: Michael D Kinney <michael.d.kinney@intel.com> Signed-off-by: Michael Kubacki <michael.kubacki@microsoft.com> Reviewed-by: Sean Brogan <sean.brogan@microsoft.com> Acked-by: Laszlo Ersek <lersek@redhat.com> Acked-by: Michael D Kinney <michael.d.kinney@intel.com>
2023-10-31.github/workflows: Add Stale CheckMichael Kubacki1-0/+44
Adds a GitHub workflow that uses the actions/stale GitHub action to automatically leave notifications on and close PRs that have had no activity for a long time. Note: Modifications to a PR reset the staleness counter. This includes pushing to the PR, adding a label to the PR, commenting on the PR, etc. If a PR has been marked "stale", simply leaving a comment will reset the counter. Configuration choices: 1. Do not attempt to close edk2 GitHub issues. 2. Mark edk2 PRs as stale if no activity in the last 60 days. Close PRs marked stale if no further activity in 7 days. 3. Do not exempt PRs with a "push" label. 4. Run the check once daily. Allow manual runs from those that have permission to run GitHub workflows. 5. Add the label "stale" to the PR when it enters the stale state. Rationale: 1. We do not use issues often enough. The limited usage of GitHub issues in Tianocore org GitHub projects are in another repo not impacted by this workflow and expected to track long term tasks. 2. This is the default value. In non-edk2 projects, I've seen these times work fairly well to identify PRs that have fallen stale. 3. Adding a "push" label resets the stale timer. If a PR has had a "push" label for 60+ days and has not been fixed for submission, then it is has very likely been abandoned. 4. This is sufficient to update PRs on the day granularity the configuration settings are applied against. 5. The label makes it easy to filter stale PRs in the PR list and write automation around PRs that are stale. It's also an obvious visual identifier that a PR needs attention in the PR list. Cc: Sean Brogan <sean.brogan@microsoft.com> Cc: Michael Kubacki <mikuback@linux.microsoft.com> Cc: Michael D Kinney <michael.d.kinney@intel.com> Cc: Laszlo Ersek <lersek@redhat.com> Signed-off-by: Michael Kubacki <michael.kubacki@microsoft.com> Message-Id: <20231031014120.917-1-mikuback@linux.microsoft.com> Reviewed-by: Michael D Kinney <michael.d.kinney@intel.com> Acked-by: Laszlo Ersek <lersek@redhat.com>
2023-10-07.github: Fix Python version (to 3.11)Michael Kubacki1-1/+1
Build was previously using 3.11. Using 3.12 now that is is released. To allow scripts to take time to update, fix to 3.11. Cc: Sean Brogan <sean.brogan@microsoft.com> Cc: Michael D Kinney <michael.d.kinney@intel.com> Signed-off-by: Michael Kubacki <michael.kubacki@microsoft.com> Reviewed-by: Sean Brogan <sean.brogan@microsoft.com>
2023-04-04.github.workflows: Split MdeModulePkg and CryptoPkg analysisMichael D Kinney1-22/+42
MdeModulePkg and CryptoPkg have double the CodeQL analysis time of all other packages. Split these packages up to perform separate analysis of IA32 and X64. Cc: Sean Brogan <sean.brogan@microsoft.com> Cc: Michael Kubacki <mikuback@linux.microsoft.com> Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com> Reviewed-by: Michael Kubacki <mikuback@linux.microsoft.com>
2023-04-03.github/codeql/edk2.qls: Enable CWE 120, 787, and 805 queriesMichael Kubacki1-2/+5
As recommended by CodeQL this change replaces cpp/potential-buffer-overflow with cpp/overrunning-write-with-float and cpp/overrunning-write. Enables: 1. cpp/overrunning-write - @name Likely overrunning write - @description Buffer write operations that do not control the length data written may overflow - @kind problem - @problem.severity error - @security-severity 9.3 - @precision high - @id cpp/very-likely-overrunning-write - @tags reliability - security - external/cwe/cwe-120 - external/cwe/cwe-787 - external/cwe/cwe-805 2. cpp/overrunning-write-with-float - @name Potentially overrunning write with float to string conversion - @description Buffer write operations that do not control the length of data written may overflow when floating point inputs take extreme values. - @kind problem - @problem.severity error - @security-severity 9.3 - @precision medium - @id cpp/overrunning-write-with-float - @tags reliability - security - external/cwe/cwe-120 - external/cwe/cwe-787 - external/cwe/cwe-805 3. cpp/very-likely-overrunning-write - @name Likely overrunning write - @description Buffer write operations that do not control the length of data written may overflow - @kind problem - @problem.severity error - @security-severity 9.3 - @precision high - @id cpp/very-likely-overrunning-write - @tags reliability - security - external/cwe/cwe-120 - external/cwe/cwe-787 - external/cwe/cwe-805 - CWEs: - https://cwe.mitre.org/data/definitions/120.html - https://cwe.mitre.org/data/definitions/787.html - https://cwe.mitre.org/data/definitions/805.html Cc: Sean Brogan <sean.brogan@microsoft.com> Cc: Michael Kubacki <mikuback@linux.microsoft.com> Cc: Michael D Kinney <michael.d.kinney@intel.com> Signed-off-by: Michael Kubacki <michael.kubacki@microsoft.com> Reviewed-by: Michael D Kinney <michael.d.kinney@intel.com> Reviewed-by: Oliver Smith-Denny <osd@smith-denny.com>
2023-04-03.github/codeql/edk2.qls: Enable CWE 457, 676, and 758 queriesMichael Kubacki1-0/+7
The previous commits fixed issues with these queries across various packages. Now that those are resolved, enable the queries in the edk2 query set so regressions can be found in the future. Enables: 1. cpp/conditionallyuninitializedvariable - CWE: https://cwe.mitre.org/data/definitions/457.html - @name Conditionally uninitialized variable - @description An initialization function is used to initialize a local variable, but the returned status code is not checked. The variable may be left in an uninitialized state, and reading the variable may result in undefined behavior. - @kind problem - @problem.severity warning - @security-severity 7.8 - @id cpp/conditionally-uninitialized-variable - @tags security - external/cwe/cwe-457 2. cpp/pointer-overflow-check - CWE: https://cwe.mitre.org/data/definitions/758.html - @name Pointer overflow check - @description Adding a value to a pointer to check if it overflows relies on undefined behavior and may lead to memory corruption. - @kind problem - @problem.severity error - @security-severity 2.1 - @precision high - @id cpp/pointer-overflow-check - @tags reliability - security - external/cwe/cwe-758 3. cpp/potential-buffer-overflow - CWE: https://cwe.mitre.org/data/definitions/676.html - @name Potential buffer overflow - @description Using a library function that does not check buffer bounds requires the surrounding program to be very carefully written to avoid buffer overflows. - @kind problem - @id cpp/potential-buffer-overflow - @problem.severity warning - @security-severity 10.0 - @tags reliability - security - external/cwe/cwe-676 - @deprecated This query is deprecated, use Potentially overrunning write (`cpp/overrunning-write`) and Potentially overrunning write with float to string conversion (`cpp/overrunning-write-with-float`) instead. Note that cpp/potential-buffer-overflow is deprecated. This query will be updated to the succeeding queries in the next commit. The query is used in this commit to show that we considered and tested the query in history. Cc: Sean Brogan <sean.brogan@microsoft.com> Cc: Michael Kubacki <mikuback@linux.microsoft.com> Cc: Michael D Kinney <michael.d.kinney@intel.com> Signed-off-by: Michael Kubacki <michael.kubacki@microsoft.com> Reviewed-by: Michael D Kinney <michael.d.kinney@intel.com> Reviewed-by: Oliver Smith-Denny <osd@smith-denny.com>
2023-04-02.github/dependabot.yml: Disable automatic rebasingMichael Kubacki1-0/+2
Sets the rebase-strategy to "disabled" to prevent automatic rebasing. Rebasing can be done manually in the dependabot PR either through the GitHub UI or the dependabot command. Cc: Sean Brogan <sean.brogan@microsoft.com> Cc: Michael D Kinney <michael.d.kinney@intel.com> Signed-off-by: Michael Kubacki <michael.kubacki@microsoft.com> Reviewed-by: Sean Brogan <sean.brogan@microsoft.com> Reviewed-by: Michael D Kinney <michael.d.kinney@intel.com>
2023-04-02.github/workflows/codeql-analysis.yml: Add PIP cachingMichael Kubacki1-0/+2
Adds caching of PIP dependencies. This reduces overall execution time and decreases likelihood of a network error reaching out pypi to get the dependencies. Caching happens based on modules specified in pip-requirements.txt. Cc: Sean Brogan <sean.brogan@microsoft.com> Cc: Michael Kubacki <mikuback@linux.microsoft.com> Cc: Michael D Kinney <michael.d.kinney@intel.com> Signed-off-by: Michael Kubacki <michael.kubacki@microsoft.com> Reviewed-by: Michael D Kinney <michael.d.kinney@intel.com>
2022-11-29.github/ISSUE_TEMPLATE/config.yml: Add initial issue templateMichael Kubacki1-0/+24
Adds a GitHub issue template to direct contributors familiar with GitHub's issue tracker to the external resources used by TianoCore. Cc: Sean Brogan <sean.brogan@microsoft.com> Cc: Michael D Kinney <michael.d.kinney@intel.com> Signed-off-by: Michael Kubacki <michael.kubacki@microsoft.com> Reviewed-by: Sean Brogan <sean.brogan@microsoft.com>
2022-11-29.github/dependabot.yml: Enable dependabotMichael Kubacki1-0/+34
Enables dependabot in this repo so we can better alerted when dependency updates are available. This GitHub action will automatically create pull requests and summarize the dependency details. Because it is a pull request, the CI system will validate the dependency update in the pull request. Configures dependabot for: 1. PIP module updates 2. GitHub action updates The maintainers/reviewers of the .github directory were added as pull request reviewers so they can be notified when the pull request is available. Note to Maintainers: After this change is committed, PRs from dependabot will be automatically created in the edk2 repo. Never set the 'push' label directly on these PRs. If a dependency identified by dependedabot looks like one that should be updated in the edk2 repo, then copy the PR generated by dependabot to your personal fork and update the commit message to follow the edk2 commit message requirements and send as a normal code review. Cc: Sean Brogan <sean.brogan@microsoft.com> Cc: Michael D Kinney <michael.d.kinney@intel.com> Signed-off-by: Michael Kubacki <michael.kubacki@microsoft.com> Reviewed-by: Michael D Kinney <michael.d.kinney@intel.com> Reviewed-by: Sean Brogan <sean.brogan@microsoft.com>
2022-11-11.github/workflows: Update CodeQL to install Python 3.10.6Michael D Kinney1-0/+5
Cc: Sean Brogan <sean.brogan@microsoft.com> Cc: Michael Kubacki <mikuback@linux.microsoft.com> Cc: Liming Gao <gaoliming@byosoft.com.cn> Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com> Reviewed-by: Michael Kubacki <mikuback@linux.microsoft.com>
2022-11-09edk2.qls: Allow error severity results and add new queriesMichael Kubacki2-2/+3
The query cpp/conditionallyuninitializedvariable was initially enabled with the CodeQL code because work was in progress on those changes. The results were filtered out so CodeQL passed so we could verify the CodeQL workflow without impacting CI results. This change allows error severity messages and substitutes that query with two queries that do not return failures. This allows these queries to find future problems and prepares the CodeQL workflow to catch future failures as queries are enabled. Cc: Sean Brogan <sean.brogan@microsoft.com> Cc: Michael D Kinney <michael.d.kinney@intel.com> Signed-off-by: Michael Kubacki <michael.kubacki@microsoft.com> Reviewed-by: Sean Brogan <sean.brogan@microsoft.com> Reviewed-by: Michael D Kinney <michael.d.kinney@intel.com>
2022-11-08.github: Add initial CodeQL config and workflow filesMichael Kubacki3-0/+133
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4115 Adds initial support for enabling CodeQL Code Scanning in this repository per the RFC: https://github.com/tianocore/edk2/discussions/3258 Adds the following new files: - .github/workflows/codql-analysis.yml - The main GitHub workflow file used to setup CodeQL in the repo. - .github/codeql/codeql-config.yml - The main CodeQL configuration file used to customize the queries and other resources the repo is using for CodeQL. - edk2.qls - A query set of queries to run for CodeQL. Cc: Sean Brogan <sean.brogan@microsoft.com> Cc: Michael D Kinney <michael.d.kinney@intel.com> Cc: Liming Gao <gaoliming@byosoft.com.cn> Signed-off-by: Michael Kubacki <michael.kubacki@microsoft.com> Reviewed-by: Michael D Kinney <michael.d.kinney@intel.com>