How to update build process

Question

How do I update the build process in my repository to pull in dependencies or compile the application?

This is Step #5 for configuring CodeQL scans for GitHub CI This step is performed after the updating when scans run step and before the updating where scans run step

Answer

CodeQL links against your application’s dependencies in order to identify vulnerabilities in the application’s use of those dependencies. In order to generate these links, CodeQL must download your project’s dependencies. For non-compiled languages this means using your projects package manager, such as npm or pip. For compiled languages this means compiling your source code.

CodeQL attempts to auto-build your code by various means. If the CodeQL enablement pull request has failed because your build process fails, you may specify your custom build steps by adding them to the codeql.yml file. You may create this file as part of the pull request, then specify the build process in the file and committing it back to the pull request branch.

For example, if your repository contained the javascript and go languages, an example of a codeql.yml file with custom build steps for these languages might look like this:

excluded_languages:
  - name: java
    reason: "Repository contains only library code and no executable code"
build_steps:
  go: |
    export GOPROXY=https://proxy.test
    go build -o cli
  javascript: |
    npm config set registry https://ghcr.io
    npm install --omit=dev

You do not need to specify build steps for all languages in your repository, only those languages which failed to build during the CodeQL enablement pull request, or languages for which you explicitly want to modify the build process.

Note: If you build required executing from a specific directory, you must perform a cd or dir command to change to that directory before executing your build steps. The Actions working_directory property is not supported in the codeql-tools reusable workflow.

References

The CodeQL enablement pull request contains direct links to files in the PR that are referenced in this technical note. The following links in the PR are referenced here:

  • Create Custom Build Script - links to the .github directory where the file codeql.yml should be added

Return to enable CodeQL using GitHub CI to continue with the next step.