From: Daniel Stenberg <daniel@haxx.se>
Date: Sat, 21 Dec 2024 13:58:24 +0000 (+0100)
Subject: GHA: drop codeql
X-Git-Tag: curl-8_12_0~284
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=173805b2e76960de5c51fd5fe64286d8ac81f1ff;p=thirdparty%2Fcurl.git

GHA: drop codeql

We started using codeql for static code analysis in 7183f5acc3d7ca39,
June 2020.

Since then, not a single commit has been merged into the source code
repository citing codeql as source or reason. Yet, it keeps getting
updated and we get constant reminders to upgrade the pinning it to the
latest hash.

During 4.5 years with intense development and significant code churn.
While Coverity, scan-build and CodeSonar have belped us point out many
mistakes, codeql has remained silent (or had false positives).

For this little gain, I think we spend a disproportionate amount of work
on codeql maintanance.

We can try again in a future if we think it improves.

Assisted-by: Viktor Szakats
Closes #15798
---

diff --git a/.github/scripts/spellcheck.words b/.github/scripts/spellcheck.words
index 7aa13af707..8d20279a35 100644
--- a/.github/scripts/spellcheck.words
+++ b/.github/scripts/spellcheck.words
@@ -121,8 +121,6 @@ CMakeLists
 CNA
 CNAME
 CNAMEs
-CodeQL
-codeql
 CODESET
 codeset
 Comcast
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
deleted file mode 100644
index e3fe9051e3..0000000000
--- a/.github/workflows/codeql-analysis.yml
+++ /dev/null
@@ -1,85 +0,0 @@
-# Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
-#
-# SPDX-License-Identifier: curl
-
-name: CodeQL
-
-'on':
-  push:
-    branches:
-      - master
-      - '*/ci'
-    paths-ignore:
-      - '**/*.md'
-      - '.circleci/**'
-      - 'appveyor.*'
-      - 'docs/**'
-      - 'packages/**'
-      - 'plan9/**'
-      - 'projects/**'
-      - 'tests/data/**'
-      - 'winbuild/**'
-  pull_request:
-    branches:
-      - master
-    paths-ignore:
-      - '**/*.md'
-      - '.circleci/**'
-      - 'appveyor.*'
-      - 'docs/**'
-      - 'packages/**'
-      - 'plan9/**'
-      - 'projects/**'
-      - 'tests/data/**'
-      - 'winbuild/**'
-  schedule:
-    - cron: '0 0 * * 4'
-
-concurrency:
-  group: ${{ github.workflow }}
-
-permissions: {}
-
-jobs:
-  codeql:
-    runs-on: ubuntu-latest
-    permissions:
-      security-events: write
-    steps:
-      - name: 'install prereqs'
-        run: |
-          sudo rm -f /etc/apt/sources.list.d/microsoft-prod.list
-          sudo apt-get update -y
-          sudo apt-get install -y --no-install-suggests --no-install-recommends \
-            libpsl-dev
-
-      - name: Checkout repository
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
-        with:
-          persist-credentials: false
-
-      # Initializes the CodeQL tools for scanning.
-      - name: Initialize CodeQL
-        uses: github/codeql-action/init@aa578102511db1f4524ed59b8cc2bae4f6e88195 # v3
-        with:
-          languages: cpp
-          queries: security-extended
-
-      # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
-      # If this step fails, then you should remove it and run the build manually (see below)
-      - name: Autobuild
-        uses: github/codeql-action/autobuild@aa578102511db1f4524ed59b8cc2bae4f6e88195 # v3
-
-      # â¹ï¸ Command-line programs to run using the OS shell.
-      # ð https://git.io/JvXDl
-
-      # âï¸ If the Autobuild fails above, remove it and uncomment the following three lines
-      #    and modify them (or add more) to build your code if your project
-      #    uses a compiled language
-
-      # - run: |
-      #    make bootstrap
-      #    make release
-
-      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@aa578102511db1f4524ed59b8cc2bae4f6e88195 # v3
diff --git a/tests/CI.md b/tests/CI.md
index 16aba08305..c4954097c6 100644
--- a/tests/CI.md
+++ b/tests/CI.md
@@ -31,10 +31,8 @@ Consider the following table while looking at pull request failures:
 
  | CI platform as shown in PR          | State  | What to look at next       |
  | ----------------------------------- | ------ | -------------------------- |
- | CI / codeql                         | stable | quality check results      |
  | CI / fuzzing                        | stable | fuzzing results            |
  | CI / macos ...                      | stable | all errors and failures    |
- | Code scanning results / CodeQL      | stable | quality check results      |
  | FreeBSD FreeBSD: ...                | stable | all errors and failures    |
  | LGTM analysis: Python               | stable | new findings               |
  | LGTM analysis:  C/C++               | stable | new findings               |
@@ -42,7 +40,6 @@ Consider the following table while looking at pull request failures:
  | AppVeyor                            | flaky  | all errors and failures    |
  | curl.curl (linux ...)               | stable | all errors and failures    |
  | curl.curl (windows ...)             | flaky  | repetitive errors/failures |
- | CodeQL                              | stable | new findings               |
 
 Sometimes the tests fail due to a dependency service temporarily being offline
 or otherwise unavailable, for example package downloads. In this case you can
@@ -62,7 +59,6 @@ GitHub Actions runs the following tests:
 - Fuzz tests ([see the curl-fuzzer repo for more
   info](https://github.com/curl/curl-fuzzer)).
 - Curl compiled using the Rust TLS backend with Hyper
-- CodeQL static analysis
 
 These are each configured in different files in `.github/workflows`.