From 504950c4c63a3e6da7037398a58ef71d82e96712 Mon Sep 17 00:00:00 2001 From: Davis Goodin Date: Fri, 18 Nov 2022 10:40:12 -0800 Subject: [PATCH] Move CodeQL to validation pipeline, keep patch check in Actions (#801) (cherry picked from commit 208aed96fd856672541153a0b4924bf7ed5475f2) --- .github/workflows/codeql-analysis.yml | 57 ------------------- .github/workflows/test.yml | 28 +++++++++ .../rolling-internal-validation-pipeline.yml | 19 +++++-- eng/pipeline/stages/run-stage.yml | 44 ++++++++++++-- 4 files changed, 79 insertions(+), 69 deletions(-) delete mode 100644 .github/workflows/codeql-analysis.yml create mode 100644 .github/workflows/test.yml diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml deleted file mode 100644 index b16031e3a10..00000000000 --- a/.github/workflows/codeql-analysis.yml +++ /dev/null @@ -1,57 +0,0 @@ -# Copyright (c) Microsoft Corporation. -# Use of this source code is governed by a BSD-style -# license that can be found in the LICENSE file. - -# This is a CodeQL analysis job that runs on each PR to point out whether it -# adds new potentially insecure code patterns. It also runs on a periodic basis -# to analyze the checked-in code. - -# For more overall info about CodeQL: https://docs.github.com/en/code-security/secure-coding/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning -# More about the CodeQL actions: https://github.com/github/codeql-action -# OneNote page with more internal info: https://microsoft.sharepoint.com/teams/managedlanguages/_layouts/OneNote.aspx?id=%2Fteams%2Fmanagedlanguages%2Ffiles%2FTeam%20Notebook%2FGoLang%20Team&wd=target%28Main.one%7C62B655D4-14E7-41D6-A063-0869C28D63FC%2FSDL%20Tools%7C3908F727-3751-4ACC-8C71-6CEB2DF277B4%2F%29 - -name: "CodeQL" - -on: - push: - branches: [ microsoft/* ] - pull_request: - branches: [ microsoft/* ] - schedule: - # Run at 08:39 UTC each Thursday. - - cron: '39 8 * * 4' - -jobs: - analyze: - name: Analyze - runs-on: ubuntu-latest - permissions: - actions: read - contents: read - security-events: write - - strategy: - fail-fast: false - matrix: - language: [ 'cpp', 'go' ] - - env: - # Instead of running "go build" during the analysis step, instrument our custom build. - CODEQL_EXTRACTOR_GO_BUILD_TRACING: "on" - - steps: - - name: Checkout repository - uses: actions/checkout@v2 - - - name: Initialize CodeQL - uses: github/codeql-action/init@v1 - with: - languages: ${{ matrix.language }} - - # Custom build command. The Go repo itself doesn't have a module at the - # root, so typical Go module build commands don't work. - - run: | - pwsh eng/run.ps1 build -refresh - - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v1 diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml new file mode 100644 index 00000000000..30a6944a828 --- /dev/null +++ b/.github/workflows/test.yml @@ -0,0 +1,28 @@ +# Copyright (c) Microsoft Corporation. +# Use of this source code is governed by a BSD-style +# license that can be found in the LICENSE file. + +# This job tests that the patches apply cleanly, and nothing else. The goal is to test this as +# quickly as possible. This job is a good signal for devs: GitHub Actions is quick to get an agent, +# so when this job fails, it's easy to see, and clear to the dev that the rest of the PR's jobs +# aren't going to succeed and can be ignored. +# +# Ideally, failure of this job would block the tests from running, because it would be a waste of +# time to hit the patch failure N times. However, the actual tests run in AzDO, so we can't +# reasonably cancel them from here (GitHub Actions). + +name: "Test" + +on: + pull_request: + branches: [ microsoft/* ] + +jobs: + check_patches: + name: Patches Apply Cleanly + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@v2 + + - run: pwsh eng/run.ps1 submodule-refresh -shallow diff --git a/eng/pipeline/rolling-internal-validation-pipeline.yml b/eng/pipeline/rolling-internal-validation-pipeline.yml index 9735d293af9..dff015add76 100644 --- a/eng/pipeline/rolling-internal-validation-pipeline.yml +++ b/eng/pipeline/rolling-internal-validation-pipeline.yml @@ -2,14 +2,14 @@ # Use of this source code is governed by a BSD-style # license that can be found in the LICENSE file. -# This pipeline runs after each internal rolling build of Go and validates compliance. -# -# This pipeline template runs automated SDL validation with internal-only tooling. It uses a job -# template from dotnet/arcade that runs the Guardian suite of tools and reports the results to TSA -# (Trust Services Automation). +# This pipeline runs after each internal rolling build of Go and validates compliance. It runs the +# automated CodeQL scan and SDL validation with internal-only tooling. It uses a job template from +# dotnet/arcade that runs the Guardian suite of tools and reports the results to TSA (Trust Services +# Automation). # # For more information, see: -# https://microsoft.sharepoint.com/teams/managedlanguages/_layouts/OneNote.aspx?id=%2Fteams%2Fmanagedlanguages%2Ffiles%2FTeam%20Notebook%2FGoLang%20Team&wd=target%28Main.one%7C62B655D4-14E7-41D6-A063-0869C28D63FC%2FSDL%20Tools%7C3908F727-3751-4ACC-8C71-6CEB2DF277B4%2F%29 +# CodeQL: https://eng.ms/docs/cloud-ai-platform/devdiv/one-engineering-system-1es/1es-docs/codeql/codeql-semmle +# SDL: https://microsoft.sharepoint.com/teams/managedlanguages/_layouts/OneNote.aspx?id=%2Fteams%2Fmanagedlanguages%2Ffiles%2FTeam%20Notebook%2FGoLang%20Team&wd=target%28Main.one%7C62B655D4-14E7-41D6-A063-0869C28D63FC%2FSDL%20Tools%7C3908F727-3751-4ACC-8C71-6CEB2DF277B4%2F%29 trigger: none pr: none @@ -34,7 +34,14 @@ resources: - microsoft/dev.boringcrypto.go* stages: + - template: stages/shorthand-builders-to-builders.yml + parameters: + jobsTemplate: builders-to-stages.yml + shorthandBuilders: + - { os: linux, arch: amd64, config: codeql } + - stage: SDLValidate + dependsOn: [] variables: # TSA variables. - group: go-sdl-validation diff --git a/eng/pipeline/stages/run-stage.yml b/eng/pipeline/stages/run-stage.yml index d86228d379d..f216be42846 100644 --- a/eng/pipeline/stages/run-stage.yml +++ b/eng/pipeline/stages/run-stage.yml @@ -27,6 +27,10 @@ stages: # https://github.com/microsoft/go/issues/568 timeoutInMinutes: 180 + ${{ if eq(parameters.builder.config, 'codeql') }}: + # Allow CodeQL to take a while. https://eng.ms/docs/cloud-ai-platform/devdiv/one-engineering-system-1es/1es-docs/codeql/configuring-codeql3000-ado-pipelines#other-issues + timeoutInMinutes: 360 + ${{ if eq(parameters.builder.os, 'windows') }}: pool: name: ${{ parameters.dncengPool.name }} @@ -38,12 +42,14 @@ stages: pool: name: ${{ parameters.dncengPool.name }} demands: ${{ parameters.dncengPool.demands.linux }} - # The image used for the container this job runs in. The tests run in this container, so it - # should match what we support as closely as possible. - ${{ if not(parameters.builder.distro) }}: - container: golangpublicimages.azurecr.io/go-infra-images/prereqs:cbl-mariner-1.0.20211027-20211201-0cccc22 - ${{ if eq(parameters.builder.distro, 'ubuntu') }}: - container: mcr.microsoft.com/dotnet-buildtools/prereqs:ubuntu-18.04-20211022152710-047508b + # The image used for the container this job runs in. The tests run in this container, so + # it should match what we support as closely as possible. Don't use a container for the + # CodeQL scan build to avoid interfering with the LD_PRELOAD hook. + ${{ if ne(parameters.builder.config, 'codeql') }}: + ${{ if eq(parameters.builder.distro, 'ubuntu') }}: + container: mcr.microsoft.com/dotnet-buildtools/prereqs:ubuntu-18.04-20211022152710-047508b + ${{ else }}: + container: golangpublicimages.azurecr.io/go-infra-images/prereqs:cbl-mariner-1.0.20211027-20211201-0cccc22 ${{ if eq(parameters.builder.hostArch, 'arm64') }}: pool: name: Docker-Linux-Arm-Internal @@ -52,6 +58,16 @@ stages: variables: - group: go-cmdscan-rules + - ${{ if eq(parameters.builder.config, 'codeql') }}: + # Enable CodeQL scan and configure options. + # https://eng.ms/docs/cloud-ai-platform/devdiv/one-engineering-system-1es/1es-docs/codeql/configuring-codeql3000-ado-pipelines#additional-options + - name: Codeql.Enabled + value: true + - name: Codeql.Language + value: go,cpp + # Always scan. This way we don't miss out on a release branch build, for example. + - name: Codeql.Cadence + value: 0 steps: - ${{ if eq(parameters.builder.os, 'linux') }}: @@ -98,6 +114,12 @@ stages: eng/run.ps1 pack-source displayName: Archive submodule source + # Manually init (and finalize, later) the CodeQL3000 extension so that it will run on any + # branch, not just the default. + # https://eng.ms/docs/cloud-ai-platform/devdiv/one-engineering-system-1es/1es-docs/codeql/configuring-codeql3000-ado-pipelines#how-does-this-extension-work + - ${{ if eq(parameters.builder.config, 'codeql') }}: + - task: CodeQL3000Init@0 + - pwsh: | # Apply the patches as staged changes, so the HEAD commit is the same as upstream. eng/run.ps1 submodule-refresh @@ -123,6 +145,13 @@ stages: displayName: Pipeline publish condition: succeededOrFailed() + # CodeQL plugs into the compiler to find the code. Just build. + - ${{ elseif eq(parameters.builder.config, 'codeql' ) }}: + - pwsh: | + eng/run.ps1 cmdscan -envprefix GO_CMDSCAN_RULE_ -- ` + pwsh eng/run.ps1 build + displayName: Build + # Use run-builder for any configuration that includes tests. run-builder uses the "gotestsum" # module to convert test results to a JUnit file that Azure DevOps can understand. - ${{ else }}: @@ -164,3 +193,6 @@ stages: displayName: Update file ownership from root to build agent account continueOnError: true condition: succeededOrFailed() + + - ${{ if eq(parameters.builder.config, 'codeql') }}: + - task: CodeQL3000Finalize@0