CodeQL Advanced #44

Workflow file for this run

	# CodeQL Advanced Security Analysis for MLXR
	# Customized for macOS-native LLM inference engine with MLX framework
	#
	# Notable customizations:
	# - Swift/Objective-C analysis disabled (macOS app incomplete)
	# - C++ analysis uses manual build with CMake
	# - Path exclusions for generated code and build artifacts
	# - Works with GitHub's default setup disabled

	name: "CodeQL Advanced"

	on:
	push:
	branches: [ "main", "develop" ]
	pull_request:
	branches: [ "main", "develop" ]
	schedule:
	- cron: '40 4 * * 0' # Weekly on Sundays at 4:40 AM UTC

	# Minimal permissions following principle of least privilege
	permissions:
	actions: read
	contents: read
	security-events: write
	packages: read

	jobs:
	analyze:
	name: Analyze (${{ matrix.language }})
	runs-on: ${{ (matrix.language == 'c-cpp' && 'ubuntu-latest') \|\| 'ubuntu-latest' }}
	timeout-minutes: 360

	strategy:
	fail-fast: false
	matrix:
	include:
	- language: actions
	build-mode: none

	- language: c-cpp
	build-mode: manual
	# Manual build required - autobuild won't work due to:
	# - macOS-specific MLX framework
	# - Metal shaders (macOS only)
	# - Custom CMake configuration

	- language: javascript-typescript
	build-mode: none

	- language: python
	build-mode: none

	# Swift/Objective-C analysis DISABLED until macOS app is complete
	# Uncomment when app/macos/MLXR.xcodeproj is ready:
	# - language: swift
	# build-mode: autobuild
	# runs-on: macos-latest

	steps:
	- name: Checkout repository
	uses: actions/checkout@v4

	# C++ build dependencies (Ubuntu)
	- name: Install C++ build dependencies
	if: matrix.language == 'c-cpp'
	run: \|
	sudo apt-get update
	sudo apt-get install -y \
	cmake \
	ninja-build \
	libssl-dev \
	libsqlite3-dev \
	protobuf-compiler \
	libprotobuf-dev \
	libgrpc++-dev \
	libgrpc-dev \
	pkg-config

	# Initialize CodeQL
	- name: Initialize CodeQL
	uses: github/codeql-action/init@v3
	with:
	languages: ${{ matrix.language }}
	build-mode: ${{ matrix.build-mode }}
	config-file: .github/codeql/codeql-config.yml
	# Use security-extended queries for comprehensive coverage
	queries: security-extended

	# Manual build for C++ (required due to macOS-specific dependencies)
	- name: Build C++ code for CodeQL analysis
	if: matrix.language == 'c-cpp'
	run: \|
	echo "=== Configuring CMake for CodeQL analysis ==="

	# Configure with minimal dependencies (no MLX/Metal on Linux)
	# CodeQL will analyze source structure even if build fails
	cmake -B build -G Ninja \
	-DCMAKE_BUILD_TYPE=Release \
	-DBUILD_GRPC=ON \
	-DCMAKE_CXX_COMPILER=g++ \
	-DCMAKE_EXPORT_COMPILE_COMMANDS=ON \
	\|\| echo "⚠️ CMake configuration failed (expected - no MLX on Linux)"

	echo "=== Building daemon components ==="

	# Attempt to build what we can
	# This will fail on MLX-dependent code, but CodeQL will still analyze
	cmake --build build --target mlxr_daemon 2>&1 \|\| true

	echo "✅ Build step complete (failures expected for MLX-dependent code)"
	echo "CodeQL will analyze all source files regardless of build success"

	# Perform CodeQL Analysis
	- name: Perform CodeQL Analysis
	uses: github/codeql-action/analyze@v3
	with:
	category: "/language:${{matrix.language}}"
	output: sarif-results
	upload: true

	# Upload SARIF for debugging (optional)
	- name: Upload SARIF results as artifact
	if: always()
	uses: actions/upload-artifact@v4
	with:
	name: codeql-sarif-${{ matrix.language }}
	path: sarif-results
	retention-days: 5

	# Summary job
	analysis-summary:
	name: CodeQL Analysis Summary
	runs-on: ubuntu-latest
	needs: analyze
	if: always()

	steps:
	- name: Print summary
	run: \|
	echo "## CodeQL Analysis Complete" >> $GITHUB_STEP_SUMMARY
	echo "" >> $GITHUB_STEP_SUMMARY
	echo "Analysis completed for:" >> $GITHUB_STEP_SUMMARY
	echo "- ✅ GitHub Actions workflows" >> $GITHUB_STEP_SUMMARY
	echo "- ✅ C++ (core, daemon, tests)" >> $GITHUB_STEP_SUMMARY
	echo "- ✅ JavaScript/TypeScript (UI)" >> $GITHUB_STEP_SUMMARY
	echo "- ✅ Python (tools, scripts)" >> $GITHUB_STEP_SUMMARY
	echo "" >> $GITHUB_STEP_SUMMARY
	echo "Note: Swift/Objective-C analysis disabled until macOS app is complete" >> $GITHUB_STEP_SUMMARY
	echo "" >> $GITHUB_STEP_SUMMARY
	echo "Security findings are available in the Security tab." >> $GITHUB_STEP_SUMMARY

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CodeQL Advanced #44

Workflow file

CodeQL Advanced #44

Uh oh!

Workflow file for this run