GHA: drop codeql

We started using codeql for static code analysis in 7183f5acc3d7ca39,
June 2020.

Since then, not a single commit has been merged into the source code
repository citing codeql as source or reason. Yet, it keeps getting
updated and we get constant reminders to upgrade the pinning it to the
latest hash.

During 4.5 years with intense development and significant code churn.
While Coverity, scan-build and CodeSonar have belped us point out many
mistakes, codeql has remained silent (or had false positives).

For this little gain, I think we spend a disproportionate amount of work
on codeql maintanance.

We can try again in a future if we think it improves.

Assisted-by: Viktor Szakats
Closes #15798

diff --git a/.github/scripts/spellcheck.words b/.github/scripts/spellcheck.words
index 7aa13af7075b9209438e9e15a7ce5b55b58d2747..8d20279a35401de6460a3f88422706c988ec6b4d 100644 (file)
--- a/.github/scripts/spellcheck.words
+++ b/.github/scripts/spellcheck.words
@@ -121,8 +121,6 @@ CMakeLists
 CNA
 CNAME
 CNAMEs
-CodeQL
-codeql
 CODESET
 codeset
 Comcast

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
deleted file mode 100644 (file)
index e3fe905..0000000
--- a/.github/workflows/codeql-analysis.yml
+++ /dev/null
@@ -1,85 +0,0 @@
-# Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
-#
-# SPDX-License-Identifier: curl
-
-name: CodeQL
-
-'on':
-  push:
-    branches:
-      - master
-      - '*/ci'
-    paths-ignore:
-      - '**/*.md'
-      - '.circleci/**'
-      - 'appveyor.*'
-      - 'docs/**'
-      - 'packages/**'
-      - 'plan9/**'
-      - 'projects/**'
-      - 'tests/data/**'
-      - 'winbuild/**'
-  pull_request:
-    branches:
-      - master
-    paths-ignore:
-      - '**/*.md'
-      - '.circleci/**'
-      - 'appveyor.*'
-      - 'docs/**'
-      - 'packages/**'
-      - 'plan9/**'
-      - 'projects/**'
-      - 'tests/data/**'
-      - 'winbuild/**'
-  schedule:
-    - cron: '0 0 * * 4'
-
-concurrency:
-  group: ${{ github.workflow }}
-
-permissions: {}
-
-jobs:
-  codeql:
-    runs-on: ubuntu-latest
-    permissions:
-      security-events: write
-    steps:
-      - name: 'install prereqs'
-        run: |
-          sudo rm -f /etc/apt/sources.list.d/microsoft-prod.list
-          sudo apt-get update -y
-          sudo apt-get install -y --no-install-suggests --no-install-recommends \
-            libpsl-dev
-
-      - name: Checkout repository
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
-        with:
-          persist-credentials: false
-
-      # Initializes the CodeQL tools for scanning.
-      - name: Initialize CodeQL
-        uses: github/codeql-action/init@aa578102511db1f4524ed59b8cc2bae4f6e88195 # v3
-        with:
-          languages: cpp
-          queries: security-extended
-
-      # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
-      # If this step fails, then you should remove it and run the build manually (see below)
-      - name: Autobuild
-        uses: github/codeql-action/autobuild@aa578102511db1f4524ed59b8cc2bae4f6e88195 # v3
-
-      # ℹ️ Command-line programs to run using the OS shell.
-      # 📚 https://git.io/JvXDl
-
-      # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
-      #    and modify them (or add more) to build your code if your project
-      #    uses a compiled language
-
-      # - run: |
-      #    make bootstrap
-      #    make release
-
-      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@aa578102511db1f4524ed59b8cc2bae4f6e88195 # v3

diff --git a/tests/CI.md b/tests/CI.md
index 16aba083055d6dc9c28d7dd7d4f5a6d866406ae6..c4954097c6b015951eb0d258b6f52a75d72e0906 100644 (file)
--- a/tests/CI.md
+++ b/tests/CI.md
@@ -31,10 +31,8 @@ Consider the following table while looking at pull request failures:
 
  | CI platform as shown in PR          | State  | What to look at next       |
  | ----------------------------------- | ------ | -------------------------- |
- | CI / codeql                         | stable | quality check results      |
  | CI / fuzzing                        | stable | fuzzing results            |
  | CI / macos ...                      | stable | all errors and failures    |
- | Code scanning results / CodeQL      | stable | quality check results      |
  | FreeBSD FreeBSD: ...                | stable | all errors and failures    |
  | LGTM analysis: Python               | stable | new findings               |
  | LGTM analysis:  C/C++               | stable | new findings               |
@@ -42,7 +40,6 @@ Consider the following table while looking at pull request failures:
  | AppVeyor                            | flaky  | all errors and failures    |
  | curl.curl (linux ...)               | stable | all errors and failures    |
  | curl.curl (windows ...)             | flaky  | repetitive errors/failures |
- | CodeQL                              | stable | new findings               |
 
 Sometimes the tests fail due to a dependency service temporarily being offline
 or otherwise unavailable, for example package downloads. In this case you can
@@ -62,7 +59,6 @@ GitHub Actions runs the following tests:
 - Fuzz tests ([see the curl-fuzzer repo for more
   info](https://github.com/curl/curl-fuzzer)).
 - Curl compiled using the Rust TLS backend with Hyper
-- CodeQL static analysis
 
 These are each configured in different files in `.github/workflows`.