From d46709504c07aceee18ee22b3a66d0efff3eeb2f Mon Sep 17 00:00:00 2001
From: Sorin Sbarnea <ssbarnea@redhat.com>
Date: Wed, 27 Mar 2024 13:21:20 +0000
Subject: [PATCH] Add codeql pipeline (#118)

---
 .config/dictionary.txt    |  1 +
 .github/workflows/tox.yml | 38 ++++++++++++++++++++++++++++++++++++++
 cspell.config.yaml        |  2 --
 3 files changed, 39 insertions(+), 2 deletions(-)

diff --git a/.config/dictionary.txt b/.config/dictionary.txt
index 8da68c7..612e22c 100644
--- a/.config/dictionary.txt
+++ b/.config/dictionary.txt
@@ -6,6 +6,7 @@ Roboto
 TOXENV
 ansiblelint
 arithmatex
+autobuild
 autofix
 autohide
 autoupdate
diff --git a/.github/workflows/tox.yml b/.github/workflows/tox.yml
index a3f6e58..14ec63a 100644
--- a/.github/workflows/tox.yml
+++ b/.github/workflows/tox.yml
@@ -125,6 +125,43 @@ jobs:
           fi
         # https://github.com/actions/toolkit/issues/193
 
+  codeql:
+    name: codeql
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: ["python"]
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      # Initializes the CodeQL tools for scanning.
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: ${{ matrix.language }}
+          # If you wish to specify custom queries, you can do so here or in a config file.
+          # By default, queries listed here will override any specified in a config file.
+          # Prefix the list here with "+" to use these queries and those in the config file.
+
+          # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
+          # queries: security-extended,security-and-quality
+
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v3
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v3
+        with:
+          category: "/language:${{matrix.language}}"
+
   check: # This job does nothing and is only used for the branch protection
     if: always()
     permissions:
@@ -132,6 +169,7 @@ jobs:
 
     needs:
       - build
+      - codeql
 
     runs-on: ubuntu-latest
 
diff --git a/cspell.config.yaml b/cspell.config.yaml
index c80fd0b..c02988e 100644
--- a/cspell.config.yaml
+++ b/cspell.config.yaml
@@ -13,8 +13,6 @@ ignorePaths:
   - cspell.config.yaml
   # The requirements file
   - .config/constraints.txt
-  - docs/requirements.txt
-  - docs/requirements.in
   # Test fixtures generated from outside
   - test/**/*.result
   - src/ansiblelint/schemas/*.json