fix(build): add SCA144-152 detector units to uStaticAnalyzer2 uses + … #56
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # GitHub Actions workflow: run StaticCodeAnalyser on every push and PR, | |
| # upload SARIF results to GitHub Code-Scanning so findings appear inline | |
| # in PRs and in the Security tab. | |
| # | |
| # Prereqs: | |
| # - The compiled analyser.d12.exe (and its rules/ folder) must be | |
| # reachable. Three common patterns: | |
| # a) commit a pre-built analyser binary into the repo (simple, | |
| # works without Windows runner with Delphi) | |
| # b) run on windows-latest with msbuild + Delphi Community Edition | |
| # (free, but only via custom action) | |
| # c) host the binary on GitHub Releases and download in workflow | |
| # - The example below uses (c): downloads from the SCA repo's latest | |
| # release. Adjust to your distribution model. | |
| # | |
| # Resulting behaviour: | |
| # - Every PR shows SCA findings as inline annotations. | |
| # - GitHub Security tab tracks finding history per branch. | |
| # - Workflow status: green if no errors, red on any error-level finding. | |
| name: Static Code Analysis | |
| on: | |
| push: | |
| branches: [ main ] | |
| pull_request: | |
| branches: [ main ] | |
| jobs: | |
| sca: | |
| name: Run SCA on Delphi sources | |
| runs-on: windows-latest | |
| permissions: | |
| contents: read | |
| security-events: write # required for upload-sarif | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 # full history for --branch (Git diff vs main) | |
| - name: Download analyser | |
| # Option C: pull pre-built binary from the analyser's own releases. | |
| # Replace org/repo + version with your distribution. | |
| run: | | |
| $url = "https://github.com/nrodear/StaticCodeAnalyser/releases/latest/download/analyser-windows.zip" | |
| Invoke-WebRequest -Uri $url -OutFile analyser.zip | |
| Expand-Archive analyser.zip -DestinationPath sca-bin | |
| shell: pwsh | |
| - name: Run analyser (full project, SARIF output) | |
| # continue-on-error: even if findings are present we want the SARIF | |
| # uploaded - GitHub will block the PR via branch protection if needed. | |
| run: | | |
| .\sca-bin\analyser.d12.exe ` | |
| --path . ` | |
| --full ` | |
| --report-sarif sca.sarif ` | |
| --quiet | |
| shell: pwsh | |
| continue-on-error: true | |
| - name: Upload SARIF to GitHub Code-Scanning | |
| uses: github/codeql-action/upload-sarif@v3 | |
| with: | |
| sarif_file: sca.sarif | |
| category: delphi-sca | |
| - name: Archive SARIF as build artifact | |
| if: always() | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: sca-sarif | |
| path: sca.sarif | |
| retention-days: 30 | |
| # Optional: separate fast job that runs only on changed files in PRs. | |
| # Useful for huge repos where --full takes minutes. Comment out if not needed. | |
| sca-pr-changes: | |
| name: SCA on PR-changed files | |
| if: github.event_name == 'pull_request' | |
| runs-on: windows-latest | |
| permissions: | |
| contents: read | |
| pull-requests: write | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Download analyser | |
| run: | | |
| $url = "https://github.com/nrodear/StaticCodeAnalyser/releases/latest/download/analyser-windows.zip" | |
| Invoke-WebRequest -Uri $url -OutFile analyser.zip | |
| Expand-Archive analyser.zip -DestinationPath sca-bin | |
| shell: pwsh | |
| - name: Run analyser (branch diff only) | |
| run: | | |
| .\sca-bin\analyser.d12.exe ` | |
| --path . ` | |
| --branch ` | |
| --report-sarif sca-pr.sarif | |
| shell: pwsh | |
| # NOTE: NO continue-on-error - we WANT the job to fail on errors | |
| # in PR-changed files. Exit codes: | |
| # 0 = clean, 1 = hints (still pass), | |
| # 2 = warnings (configure if you want PR-fail on warning) | |
| # 3 = errors (always fail) |