From ac943ba67a7ec737c7a387ad19cbb1f02618716b Mon Sep 17 00:00:00 2001 From: Matt Hargett Date: Sat, 4 Jul 2026 16:25:59 -0700 Subject: [PATCH 1/3] ci: fix stale libtinfo5 download URL in codeql_buildscript.sh The hard-coded libtinfo5_6.3-2ubuntu0.1_amd64.deb URL 404s now that the GitHub runner's ncurses has moved to 6.3-2ubuntu0.2, so libtinfo5 is not installed and the wamrc link against the prebuilt LLVM 18.1.8 (libomptarget.rtl.amdgpu, which needs the NCURSES_TINFO_5 symbols) fails with undefined references. Resolve the libtinfo5 compat package at the same ncurses version as the runner's installed libtinfo6, with a pool-scrape fallback, so it keeps working across point-release bumps. --- .github/scripts/codeql_buildscript.sh | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/.github/scripts/codeql_buildscript.sh b/.github/scripts/codeql_buildscript.sh index 99060af8f4..dfc5faef34 100755 --- a/.github/scripts/codeql_buildscript.sh +++ b/.github/scripts/codeql_buildscript.sh @@ -19,9 +19,20 @@ sudo wget --progress=dot:giga -O clang+llvm-x86_64-linux-gnu.tar.xz https://gith popd # libtinfo.so.5 for /opt/llvm-18.1.8/lib/libomptarget.rtl.amdgpu.so.18.1 +# Install the libtinfo5 compat package at the same ncurses version as the +# runner's already-installed libtinfo6; fall back to the newest one in the +# pool. A hard-coded URL 404s once the ncurses point release is bumped, which +# then breaks the wamrc link against libomptarget (NCURSES_TINFO_5 symbols). sudo apt -qq update -wget http://security.ubuntu.com/ubuntu/pool/universe/n/ncurses/libtinfo5_6.3-2ubuntu0.1_amd64.deb -sudo apt install -y -qq ./libtinfo5_6.3-2ubuntu0.1_amd64.deb +nc_pool="http://security.ubuntu.com/ubuntu/pool/universe/n/ncurses" +nc_ver="$(dpkg-query -W -f='${Version}' libtinfo6)" +libtinfo5_deb="libtinfo5_${nc_ver}_amd64.deb" +if ! wget -q "${nc_pool}/${libtinfo5_deb}"; then + libtinfo5_deb="$(wget -qO- "${nc_pool}/" \ + | grep -oE 'libtinfo5_[0-9][^"]*_amd64\.deb' | sort -Vu | tail -1)" + wget -q "${nc_pool}/${libtinfo5_deb}" +fi +sudo apt install -y -qq "./${libtinfo5_deb}" # Start the build process WAMR_DIR=${PWD} From c1d908c7dc55e0d7ae0d3a627509a2c6b2211ce6 Mon Sep 17 00:00:00 2001 From: Matt Hargett Date: Sat, 4 Jul 2026 16:25:59 -0700 Subject: [PATCH 2/3] ci: make codeql_fail_on_error tolerate SARIF rule metadata in extensions codeql_fail_on_error.py crashed with `KeyError: 'rules'` whenever the CodeQL driver's rule list was empty (e.g. a clean scan) and the first tool extension carried no "rules" key - the shape current CodeQL versions emit. Read the driver rules defensively and, when absent, gather rules from all extensions, so the gate no longer aborts and can still see error-level rules contributed by a query pack. --- .github/scripts/codeql_fail_on_error.py | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/.github/scripts/codeql_fail_on_error.py b/.github/scripts/codeql_fail_on_error.py index f150c38a25..1a6bcdba56 100755 --- a/.github/scripts/codeql_fail_on_error.py +++ b/.github/scripts/codeql_fail_on_error.py @@ -61,9 +61,15 @@ def codeql_sarif_contain_error(filename, dismissed_alerts): s = json.load(f) for run in s.get("runs", []): - rules_metadata = run["tool"]["driver"]["rules"] + # Rule metadata isn't always in one place: CodeQL keeps it on the tool + # driver, but rules contributed by a query-pack extension live on that + # extension instead, and the driver's list is empty when nothing fired. + # So read the driver rules, then fall back to gathering them from the + # extensions rather than assuming a fixed location. + rules_metadata = run["tool"]["driver"].get("rules") or [] if not rules_metadata: - rules_metadata = run["tool"]["extensions"][0]["rules"] + for ext in run["tool"].get("extensions", []): + rules_metadata += ext.get("rules", []) for res in run.get("results", []): if "ruleIndex" in res: From d9de8d54a468239b16c3aa134658ad0aaa279500 Mon Sep 17 00:00:00 2001 From: Matt Hargett Date: Sat, 4 Jul 2026 16:25:59 -0700 Subject: [PATCH 3/3] ci: run CodeQL on pull requests from in-repo branches codeql.yml only runs on push to dev/**, a nightly cron, and manual dispatch, so contributor changes are not scanned until after they merge. Add the pull_request event and a concurrency group. The analysis uploads results and reads code-scanning alerts, which requires security-events:write; a pull request from a fork runs with a read-only GITHUB_TOKEN and would fail those steps, so the job now runs on pull_request only when the head branch lives in this same repository. Other events keep the original behavior of running only on the upstream repository. Only pull_request runs cancel their own superseded run; branch and scheduled scans are left to finish. --- .github/workflows/codeql.yml | 24 +++++++++++++++++++++--- 1 file changed, 21 insertions(+), 3 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index c2fff0398c..4660cabe78 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -9,17 +9,35 @@ on: push: branches: - dev/** + # scan pull requests so findings surface on the PR instead of only post-merge + pull_request: # midnight UTC on the latest commit on the main branch schedule: - cron: "0 0 * * *" # allow to be triggered manually workflow_dispatch: +# Serialize CodeQL runs per PR / branch. Only a pull_request cancels its own +# superseded run - once a PR head is replaced the old analysis is throwaway. +# Pushes to dev/** and the nightly cron are left to finish, so branch and +# scheduled scans are never dropped. +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: ${{ github.event_name == 'pull_request' }} + jobs: analyze: - # only run this job if the repository is not a fork - # if want to run this job on a fork, please remove the if condition - if: github.repository == 'bytecodealliance/wasm-micro-runtime' + # Pull requests: only scan when the head branch lives in this same + # repository. A pull request from a fork runs with a read-only GITHUB_TOKEN + # (no `security-events: write`), so uploading results and reading + # code-scanning alerts is not permitted and the job would fail; skip it + # cleanly instead. Other events (push to dev/**, the nightly cron, manual + # runs) keep the original behavior of running only on the upstream repo. + if: >- + (github.event_name == 'pull_request' && + github.event.pull_request.head.repo.full_name == github.repository) + || (github.event_name != 'pull_request' && + github.repository == 'bytecodealliance/wasm-micro-runtime') name: Analyze # Runner size impacts CodeQL analysis time. To learn more, please see: # - https://gh.io/recommended-hardware-resources-for-running-codeql