From bf250c59553f8983e57e67b8565b8eec61ded29e Mon Sep 17 00:00:00 2001
From: Emil Velikov <emil.l.velikov@gmail.com>
Date: Sat, 14 Sep 2024 16:12:33 +0100
Subject: [PATCH] ci: add codeql code-scanning action

Effectively a trimmed down copy of main.yml, running only on
ubuntu-22.04 for now.

The action flags a handful of interesting issues and allows us to
prevent more from creeping in.

The action does not need need docs/manpages so we disable those.

v2:
 - script lives in .github/

Signed-off-by: Emil Velikov <emil.l.velikov@gmail.com>
---
 .github/workflows/codeql.yml | 67 ++++++++++++++++++++++++++++++++++++
 1 file changed, 67 insertions(+)
 create mode 100644 .github/workflows/codeql.yml

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
new file mode 100644
index 00000000..6832cdaa
--- /dev/null
+++ b/.github/workflows/codeql.yml
@@ -0,0 +1,67 @@
+name: CodeQL
+
+on:
+  push:
+    branches: [master, ci-test]
+  pull_request:
+    branches: [master]
+  schedule:
+    - cron: "30 2 * * 0"
+
+permissions:
+  contents: read
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        container:
+          - name: 'ubuntu:22.04'
+            meson_setup: '-D manpages=false -D docs=false'
+
+    container:
+      image: ${{ matrix.container.name }}
+
+    steps:
+      - name: Sparse checkout the local actions
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        with:
+          sparse-checkout: .github
+
+      - uses: ./.github/actions/setup-ubuntu
+        if: ${{ startsWith(matrix.container.name, 'ubuntu') }}
+
+      - name: Checkout the whole project
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+
+      - name: Set the environment
+        run: |
+          # The second checkout above claims to set safe.directory, yet it
+          # doesn't quite work. Perhaps our double/sparse checkout is to blame?
+          git config --global --add safe.directory '*'
+
+          .github/print-kdir.sh >> "$GITHUB_ENV"
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@8214744c546c1e5c8f03dde8fab3a7353211988d # v3.26.7
+        with:
+          languages: cpp
+          queries: +security-and-quality
+
+      - name: Build
+        run: |
+          mkdir build && cd build
+          meson setup --native-file ../build-dev.ini ${{ matrix.container.meson_setup }} . ..
+          meson compile
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@8214744c546c1e5c8f03dde8fab3a7353211988d # v3.26.7
+        with:
+          category: "/language:cpp"