Add CodeQL Analysis workflow

[andy5995]

No description provided.

[andy5995]

It doesn't run. The message is

github/codeql-action/init@v3, github/codeql-action/autobuild@v3, and github/codeql-action/analyze@v3 are not allowed to be used in geany/geany. Actions in this workflow must be: within a repository owned by geany or matching the following: actions/cache@v2, actions/setup-python@v2, actions/cache@v3, actions/upload-artifact@v3, actions/checkout@v3, docker/login-action@v2, actions/setup-python@v4, actions/delete-package-versions@v4, msys2/setup-msys2@v2, actions/cache@v4, actions/checkout@v4, actions/upload-artifact@v4, docker/login-action@v3, jwalton/gh-find-current-pr@v1, actions/delete-package-versions@v5, actions/setup-python@v5.

[elextr]

Maybe you could try the CLI version and see if its useful first.

[andy5995]

I enabled the default scan from my repository settings. The only problems it found were related to Scintilla https://github.com/andy5995/geany/security/code-scanning

[elextr]

Erm, the link doesn't work.

[rdipardo]

Erm, the link doesn't work.

That's because:

[y]ou need write permission to view a summary of all the alerts for a repository on the Security tab.

https://docs.github.com/en/code-security/code-scanning/managing-code-scanning-alerts/managing-code-scanning-alerts-for-your-repository

Only scans of pull requests are publicly visible, per the docs.

[andy5995]

@rdipardo Thank you for the explanation. @elextr I sent you an invite to be a collaborator.

Another thing CodeQL does is when a workflow is in place, it gives alerts for any problematic code that may be introduced in a pull request.

[rdipardo]

@andy5995

... an invite to be a collaborator.

You could also just open a PR in your fork from the branch with the CodeQL workflow in it. If an alert doesn't appear automatically, there should be an option to publish it.

[eht16]

Sounds good.

• For the next time, a description to describe what is the PR about and more importantly why, is generally a good idea.
• We could add *.py to the patterns and python to the matrix to also cover the Python helper scripts in the repository.
• Also, could you strip the commented code from the workflow definition and also the extensive description comments? I think they are not very useful.
• I enabled the mentioned "github/*" actions. In general we restrict the usable actions to the necessary ones for security reasons.

[eht16]

Adding workflow_dispatch: might be a good idea to manually re-run the workflow.

[github-advanced-security]

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

[andy5995]

For the next time, a description to describe what is the PR about and more importantly why, is generally a good idea.

Understood!

We could add *.py to the patterns and python to the matrix to also cover the Python helper scripts in the repository.

Done.

Also, could you strip the commented code from the workflow definition and also the extensive description comments? I think they are not very useful.

Done.

Adding workflow_dispatch: might be a good idea to manually re-run the workflow.

Done. Some examples of this workflow include a cron schedule as well. Would you like that added, and if so, how often should it be scheduled?

[eht16]

Thanks!

Done. Some examples of this workflow include a cron schedule as well. Would you like that added, and if so, how often should it be scheduled?

I would say once in a month is a good start.

[eht16]

Adding workflow_dispatch: might be a good idea to manually re-run the workflow.

I would still recommend this simple change.

And it seems the configuration still has syntax errors: https://github.com/geany/geany/actions/runs/8135027731/workflow

[andy5995]

Adding workflow_dispatch: might be a good idea to manually re-run the workflow.

I would still recommend this simple change.

And it seems the configuration still has syntax errors: https://github.com/geany/geany/actions/runs/8135027731/workflow

That seems outdated. I added the workflow_dispatch and fixed the cron syntax/indentation about a week ago.

[eht16]

Adding workflow_dispatch: might be a good idea to manually re-run the workflow.

I would still recommend this simple change.
And it seems the configuration still has syntax errors: https://github.com/geany/geany/actions/runs/8135027731/workflow

That seems outdated. I added the workflow_dispatch and fixed the cron syntax/indentation about a week ago.

Sorry, I guess I didn't properly refresh this page and so commented on the old code.

Looks good to me now.
Thanks.

[andy5995]

No worries @eht16 , I know mistakes happen to humans. Cheers!