ci: add CodeQL Advanced workflow for C/C++ analysis#40
Open
roshan-ku wants to merge 5 commits into
Open
Conversation
Adds .github/workflows/codeql.yml, adapted from GitHub's default CodeQL Advanced setup template for this repo: - reduced language matrix to c-cpp (only language used in this repo) - build-mode set to manual, reusing the environment-check and build-dvledtx composite actions so CodeQL traces the same meson/ninja build the rest of CI performs - pinned actions/checkout and github/codeql-action to the same SHAs already used elsewhere in this repo's workflows - added concurrency group and job timeout consistent with other workflows in this repo
|
You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool. What Enabling Code Scanning Means:
For more information about GitHub Code Scanning, check out the documentation. |
- codeql.yml: simplified to match coverity.yml (weekly schedule + workflow_dispatch only, single job, minimal permissions), dropping the push/pull_request triggers and language matrix since this repo only analyzes c-cpp. - scan_on_demand.yml: added CodeQL init/build/analyze steps alongside the existing Coverity Scan step, so an on-demand scan also runs CodeQL.
dmkarthi
reviewed
Jul 13, 2026
Adds .github/actions/analysis/codeql/action.yml (Initialize CodeQL, Build dvledtx, Perform CodeQL Analysis), matching the pattern used by the other .github/actions/analysis/* actions (coverity, trivy, etc). codeql.yml and scan_on_demand.yml now both call this single composite action instead of duplicating the three inline steps.
Add if: always() to every analysis step so a failure in one scanner (e.g. CodeQL Scan) no longer skips the remaining steps (Coverity Scan, AFL Fuzz, libFuzzer, etc). Also guard the Coverity SARIF upload with a hashFiles() check so it no longer errors with 'Path does not exist' when the Coverity Scan step didn't run/produce a report. Root cause of the reported failure: the run was manually dispatched with the default 'branch: main' input while the CodeQL composite action only existed on this PR branch at the time, so the local './.github/actions/analysis/codeql' action wasn't found in the checked-out main ref. That step failing then cascaded into skipping Coverity Scan, which made the always()-guarded SARIF upload fail too.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds .github/workflows/codeql.yml, adapted from GitHub's default CodeQL Advanced setup template for this repo:
Description
Checklist
Code Quality
Testing
Review Readiness
Documentation
Security
PR Type
What kind of change does this PR introduce?