GHA/codeql: improve perf on Windows, enable `CURL_WERROR=ON`, and more

- set `CURL_DROP_UNUSED=ON` for Windows (MSVC) to make the analysis step
  faster: 1m30s -> 1m15s

- enable `CURL_WERROR=ON` in all builds, to catch potential build issues
  in addition to running CodeQL. To make these builds useful as regular
  build tests too.

- add links to CodeQL Actions documentation.

- delete test data C files after checkout in an attempt to remove them
  from CodeQL code coverage stats.

Closes #20418

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index bc94d451fcbe7803ab93f7396a744bbf26d71aa4..834a35d96abf520e09ff0b346b1dba73779d3068 100644 (file)
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -81,7 +81,12 @@ jobs:
         with:
           persist-credentials: false
 
+      - name: 'delete test input C files'
+        shell: bash
+        run: find tests/data -name '*.c' -delete
+
       - name: 'initialize'
+        # https://github.com/github/codeql-action/blob/main/init/action.yml
         uses: github/codeql-action/init@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9
         with:
           languages: cpp
@@ -93,7 +98,7 @@ jobs:
         shell: bash
         run: |
           if [ "${MATRIX_PLATFORM}" = 'Windows' ]; then
-            cmake -B . -DBUILD_SHARED_LIBS=OFF \
+            cmake -B . -DBUILD_SHARED_LIBS=OFF -DCURL_DROP_UNUSED=ON -DCURL_WERROR=ON \
               -DCMAKE_VS_GLOBALS=TrackFileAccess=false \
               -DCURL_USE_SCHANNEL=ON -DCURL_USE_LIBPSL=OFF -DUSE_WIN32_IDN=ON
             cmake --build . --verbose
@@ -103,7 +108,7 @@ jobs:
 
             # MultiSSL
             export PKG_CONFIG_PATH; PKG_CONFIG_PATH="$(brew --prefix c-ares)/lib/pkgconfig:$(brew --prefix mbedtls)/lib/pkgconfig:$(brew --prefix rustls-ffi)/lib/pkgconfig:$(brew --prefix gsasl)/lib/pkgconfig"
-            cmake -B _bld1 -G Ninja -DCURL_DISABLE_TYPECHECK=ON -DENABLE_DEBUG=ON \
+            cmake -B _bld1 -G Ninja -DCURL_DISABLE_TYPECHECK=ON -DCURL_WERROR=ON -DENABLE_DEBUG=ON \
               -DCURL_USE_GNUTLS=ON -DCURL_USE_MBEDTLS=ON -DCURL_USE_RUSTLS=ON -DCURL_USE_WOLFSSL=ON \
               -DUSE_LIBRTMP=ON -DCURL_USE_GSASL=ON -DCURL_USE_GSSAPI=ON -DUSE_SSLS_EXPORT=ON -DUSE_ECH=ON -DENABLE_ARES=ON \
               -DCURL_DISABLE_VERBOSE_STRINGS=ON
@@ -113,7 +118,7 @@ jobs:
 
             # HTTP/3
             export PKG_CONFIG_PATH; PKG_CONFIG_PATH="$(brew --prefix libnghttp3)/lib/pkgconfig:$(brew --prefix libngtcp2)/lib/pkgconfig:$(brew --prefix gsasl)/lib/pkgconfig"
-            cmake -B _bld2 -G Ninja -DCURL_DISABLE_TYPECHECK=ON \
+            cmake -B _bld2 -G Ninja -DCURL_DISABLE_TYPECHECK=ON -DCURL_WERROR=ON \
               -DCURL_USE_OPENSSL=ON -DOPENSSL_ROOT_DIR="$(brew --prefix openssl)" -DUSE_NGTCP2=ON \
               -DCURL_USE_LIBSSH2=OFF -DCURL_USE_LIBSSH=ON \
               -DUSE_LIBRTMP=ON -DCURL_USE_GSASL=ON -DCURL_USE_GSSAPI=ON -DUSE_SSLS_EXPORT=ON
@@ -126,4 +131,5 @@ jobs:
           fi
 
       - name: 'perform analysis'
+        # https://github.com/github/codeql-action/blob/main/analyze/action.yml
         uses: github/codeql-action/analyze@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9