VKCOM · Danil42Russia · Apr 12, 2025 · Apr 12, 2025 · Apr 12, 2025 · Apr 12, 2025
@@ -14,6 +14,7 @@ env:
 
 jobs:
   build-linux:
+    if: ${{ false }}
     runs-on: ubuntu-latest
     strategy:
       matrix:
@@ -123,6 +124,7 @@ jobs:
       run: docker rm -f kphp-build-container-${{matrix.os}}
 
   build-macos:
+    if: ${{ false }}
     runs-on: ${{matrix.os}}-14
     strategy:
       matrix:

@@ -0,0 +1,76 @@
+name: CodeQL
+
+on:
+  pull_request:
+    branches: [ "master" ]
+
+env:
+  kphp_root_dir: /home/kitten/kphp
+  kphp_polyfills_dir: /home/kitten/kphp/kphp-polyfills
+  kphp_build_dir: /home/kitten/kphp/build
+
+jobs:
+  analyze:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        include:
+          - os: buster
+            compiler: g++
+            cpp: 17
+            asan: off
+            ubsan: off
+
+    permissions:
+      security-events: write
+      packages: read
+      actions: read
+      contents: read
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: cpp
+
+      - name: Cache docker image
+        uses: actions/cache@v4
+        id: docker-image-cache
+        with:
+          path: kphp-build-env-${{matrix.os}}.tar
+          key: docker-image-cache-${{matrix.os}}-${{ hashFiles('.github/workflows/Dockerfile.*', 'tests/python/requirements.txt') }}
+
+      - name: Build and save docker image
+        if: steps.docker-image-cache.outputs.cache-hit != 'true'
+        run: |
+          docker build -f $GITHUB_WORKSPACE/.github/workflows/Dockerfile.${{matrix.os}} $GITHUB_WORKSPACE \
+                -t kphp-build-img-${{matrix.os}} \
+                --cache-from=type=local,src=kphp-build-img-${{matrix.os}}-cache
+          docker tag kphp-build-img-${{matrix.os}} kphp-build-img-${{matrix.os}}-cache
+          docker save kphp-build-img-${{matrix.os}}-cache -o kphp-build-env-${{matrix.os}}.tar
+
+      - name: Load docker image from cache
+        if: steps.docker-image-cache.outputs.cache-hit == 'true'
+        run: docker load --input kphp-build-env-${{matrix.os}}.tar
+
+      - name: Start docker container
+        run: |
+          docker run -dt --name kphp-build-container-${{matrix.os}} kphp-build-img-${{matrix.os}}-cache
+          docker cp $GITHUB_WORKSPACE/. kphp-build-container-${{matrix.os}}:${{env.kphp_root_dir}}
+
+      - name: Add git safe directory
+        run: docker exec kphp-build-container-${{matrix.os}} bash -c
+          "git config --global --add safe.directory '*'"
+          # This command is used to address potential issues with Git's safe directory feature.
+          # By setting '*' as a safe directory, we allow Git operations to proceed without errors
+          # related to directory safety, ensuring smooth execution of the submodules updating.
+
+      - name: Build all
+        run: docker exec kphp-build-container-${{matrix.os}} bash -c
+          "cmake -DCMAKE_CXX_COMPILER=${{matrix.compiler}} -DCMAKE_CXX_STANDARD=${{matrix.cpp}} -DADDRESS_SANITIZER=${{matrix.asan}} -DUNDEFINED_SANITIZER=${{matrix.ubsan}} -DPDO_DRIVER_MYSQL=ON -DPDO_DRIVER_PGSQL=ON -DPDO_LIBS_STATIC_LINKING=OFF -S ${{env.kphp_root_dir}} -B ${{env.kphp_build_dir}} && make -C ${{env.kphp_build_dir}} -j$(nproc) all"
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v3
@@ -12,6 +12,7 @@ env:
 
 jobs:
   build-linux:
+    if: ${{ false }}
     runs-on: ubuntu-latest
     strategy:
       matrix:

@@ -27,6 +27,7 @@ env:
 jobs:
   # Build job
   build:
+    if: ${{ false }}
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
@@ -39,7 +40,7 @@ jobs:
         with:
           path: docs-build-env.tar
           key: docs-docker-image-cache-${{ hashFiles('.github/workflows/Dockerfile.docs') }}
-  
+
       - name: Build and save docker image
         if: steps.docker-image-cache.outputs.cache-hit != 'true'
         run: |
@@ -48,11 +49,11 @@ jobs:
                 --cache-from=type=local,src=docs-build-img-cache
           docker tag docs-build-img docs-build-img-cache
           docker save docs-build-img-cache -o docs-build-env.tar
-          
+
       - name: Load docker image from cache
         if: steps.docker-image-cache.outputs.cache-hit == 'true'
         run: docker load --input docs-build-env.tar
-  
+
       - name: Start docker container
         run: |
           docker run -dt --name docs-build-container docs-build-img-cache
@@ -61,10 +62,10 @@ jobs:
       - name: Build site with Jekyll
         run: docker exec docs-build-container bash -c 
                 "cd /home/kitten/docs && bundle install && bundle exec jekyll build --baseurl ${{env.DOCS_SITE_BASE_URL}} --source /home/kitten/docs --destination /home/kitten/docs/_site --trace"
-                
+
       - name: Prepare artifacts
         run: docker cp docs-build-container:/home/kitten/docs/_site $GITHUB_WORKSPACE/ && tree $GITHUB_WORKSPACE/_site
- 
+
       - name: Upload artifact
         uses: actions/upload-pages-artifact@v3
         with:

@@ -10,6 +10,7 @@ env:
 
 jobs:
   build-macos:
+    if: ${{ false }}
     runs-on: ${{matrix.os}}-14
     strategy:
       matrix:

@@ -12,6 +12,7 @@ env:
 
 jobs:
   build-linux:
+    if: ${{ false }}
     runs-on: ubuntu-latest
     strategy:
       matrix: