Skip to content

ci: add CodeQL Advanced workflow for C/C++ analysis#40

Open
roshan-ku wants to merge 5 commits into
OpenVisualCloud:mainfrom
roshan-ku:ci/add-codeql-workflow
Open

ci: add CodeQL Advanced workflow for C/C++ analysis#40
roshan-ku wants to merge 5 commits into
OpenVisualCloud:mainfrom
roshan-ku:ci/add-codeql-workflow

Conversation

@roshan-ku

Copy link
Copy Markdown
Contributor

Adds .github/workflows/codeql.yml, adapted from GitHub's default CodeQL Advanced setup template for this repo:

  • reduced language matrix to c-cpp (only language used in this repo)
  • build-mode set to manual, reusing the environment-check and build-dvledtx composite actions so CodeQL traces the same meson/ninja build the rest of CI performs
  • pinned actions/checkout and github/codeql-action to the same SHAs already used elsewhere in this repo's workflows
  • added concurrency group and job timeout consistent with other workflows in this repo

Description

Checklist

Code Quality

  • Code follows project style guidelines
  • No unnecessary debug logs or commented-out code
  • No hardcoded values / secrets

Testing

  • Unit test added/modified accordingly
  • Perform manual basic sanity testing at system level

Review Readiness

  • PR title and description are clear and meaningful
  • Story/Task IDs are linked

Documentation

  • README or relevant docs updated (if applicable)

Security

  • No sensitive data exposed (keys, passwords, tokens)
  • Input validation added where needed

PR Type

What kind of change does this PR introduce?

  • Bugfix
  • Feature
  • Code style update (formatting, local variables)
  • Refactoring (no functional changes, no api changes)
  • Documentation content changes
  • Testing
  • Other... Please describe:

Adds .github/workflows/codeql.yml, adapted from GitHub's default
CodeQL Advanced setup template for this repo:
- reduced language matrix to c-cpp (only language used in this repo)
- build-mode set to manual, reusing the environment-check and
  build-dvledtx composite actions so CodeQL traces the same
  meson/ninja build the rest of CI performs
- pinned actions/checkout and github/codeql-action to the same SHAs
  already used elsewhere in this repo's workflows
- added concurrency group and job timeout consistent with other
  workflows in this repo
@github-advanced-security

Copy link
Copy Markdown

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

- codeql.yml: simplified to match coverity.yml (weekly schedule +
  workflow_dispatch only, single job, minimal permissions), dropping
  the push/pull_request triggers and language matrix since this repo
  only analyzes c-cpp.
- scan_on_demand.yml: added CodeQL init/build/analyze steps alongside
  the existing Coverity Scan step, so an on-demand scan also runs
  CodeQL.
Comment thread .github/workflows/codeql.yml
Comment thread .github/workflows/codeql.yml Outdated
Adds .github/actions/analysis/codeql/action.yml (Initialize CodeQL,
Build dvledtx, Perform CodeQL Analysis), matching the pattern used by
the other .github/actions/analysis/* actions (coverity, trivy, etc).

codeql.yml and scan_on_demand.yml now both call this single composite
action instead of duplicating the three inline steps.
@roshan-ku
roshan-ku requested a review from dmkarthi July 13, 2026 06:07
Add if: always() to every analysis step so a failure in one scanner
(e.g. CodeQL Scan) no longer skips the remaining steps (Coverity Scan,
AFL Fuzz, libFuzzer, etc).

Also guard the Coverity SARIF upload with a hashFiles() check so it
no longer errors with 'Path does not exist' when the Coverity Scan
step didn't run/produce a report.

Root cause of the reported failure: the run was manually dispatched
with the default 'branch: main' input while the CodeQL composite
action only existed on this PR branch at the time, so the local
'./.github/actions/analysis/codeql' action wasn't found in the
checked-out main ref. That step failing then cascaded into skipping
Coverity Scan, which made the always()-guarded SARIF upload fail too.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants