diff --git a/README.md b/README.md index 1d3514d561..3843f31085 100644 --- a/README.md +++ b/README.md @@ -61,18 +61,18 @@ jobs: If you prefer to integrate this within an existing CI workflow, it should end up looking something like this: ```yaml - - name: Initialize CodeQL - uses: github/codeql-action/init@v1 - with: - languages: go, javascript - - # Here is where you build your code - - run: | - make bootstrap - make release - - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@master +- name: Initialize CodeQL + uses: github/codeql-action/init@v1 + with: + languages: go, javascript + +# Here is where you build your code +- run: | + make bootstrap + make release + +- name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@master ``` ### Actions triggers The CodeQL action should be run on `push` events, and on a `schedule`. `Push` events allow us to do detailed analysis of the delta in a pull request, while the `schedule` event ensures that GitHub regularly scans the repository for the latest vulnerabilities, even if the repository becomes inactive. This action does not support the `pull_request` event. @@ -89,9 +89,9 @@ Identifying potential files for extraction: Use the config-file parameter of the init action to enable the configuration file. For example: ```yaml - - uses: github/codeql-action/init@master - with: - config-file: ./.github/codeql/codeql-config.yml +- uses: github/codeql-action/init@master + with: + config-file: ./.github/codeql/codeql-config.yml ``` A config file looks like this: @@ -124,32 +124,38 @@ paths-ignore: #### If you use a vendor directory Try passing -``` + +```yaml env: - GOFLAGS: "-mod=vendor" + GOFLAGS: "-mod=vendor" ``` + to `github/codeql-action/analyze`. ### If you do not use a vendor directory Dependencies on public repositories should just work. If you have dependencies on private repositories, one option is to use `git config` and a [personal access token](https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line) to authenticate when downloading dependencies. Add a section like + +```yaml +steps: +- name: Configure git private repo access + env: + TOKEN: ${{ secrets.GITHUB_PAT }} + run: | + git config --global url."https://${TOKEN}@github.com/foo/bar".insteadOf "https://github.com/foo/bar" + git config --global url."https://${TOKEN}@github.com/foo/baz".insteadOf "https://github.com/foo/baz" ``` - steps: - - name: Configure git private repo access - env: - TOKEN: ${{ secrets.GITHUB_PAT }} - run: | - git config --global url."https://${TOKEN}@github.com/foo/bar".insteadOf "https://github.com/foo/bar" - git config --global url."https://${TOKEN}@github.com/foo/baz".insteadOf "https://github.com/foo/baz" -``` + before any codeql actions. A similar thing can also be done with a SSH key or deploy key. ### C# using dotnet version 2 on linux This currently requires invoking `dotnet` with the `/p:UseSharedCompilation=false` flag. For example: + ``` dotnet build /p:UseSharedCompilation=false ``` + Version 3 does not require the additional flag. ## License