GHA/codeql: re-enable for C with the default query pack

Earlier we used `security-extended` and tried `security-and-quality`.
Try the default to see how it works.

CodeQL no longer uses the project's Actions cache, also fixing
the previously seen repeat cache entry issue.

- switch to `manual` build. It's 3x faster than the default `autobuild`.
- enable more dependencies to increase coverage.
- docs/tests/CI.md: re-add CodeQL.

Ref: https://docs.github.com/en/code-security/code-scanning/managing-your-code-scanning-configuration/codeql-query-suites
Ref: https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages
Ref: #16263
Ref: 173805b2e76960de5c51fd5fe64286d8ac81f1ff #15798

Closes #18528

diff --git a/.github/scripts/spellcheck.words b/.github/scripts/spellcheck.words
index 13b7b2f3674d0638c422d8d444b4ec9a4f6cce18..46c05b741bcfee135140bd1e1d673192577739fd 100644 (file)
--- a/.github/scripts/spellcheck.words
+++ b/.github/scripts/spellcheck.words
@@ -122,6 +122,7 @@ CMakeLists
 CNA
 CNAME
 CNAMEs
+CodeQL
 CODESET
 codeset
 CodeSonar

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 9863f7624d2c19e9f13a9e87ce34e8db96dd59e9..0952eb3d1d2281d1ab0b544b4c508087e4325e9d 100644 (file)
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -59,3 +59,37 @@ jobs:
 
       - name: 'perform analysis'
         uses: github/codeql-action/analyze@192325c86100d080feab897ff886c34abd4c83a3 # v3
+
+  c:
+    name: 'C'
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+    steps:
+      - name: 'install prereqs'
+        timeout-minutes: 5
+        run: |
+          sudo rm -f /etc/apt/sources.list.d/microsoft-prod.list
+          sudo apt-get -o Dpkg::Use-Pty=0 update
+          sudo rm -f /var/lib/man-db/auto-update
+          sudo apt-get -o Dpkg::Use-Pty=0 install libpsl-dev libbrotli-dev libidn2-dev libssh2-1-dev libnghttp2-dev libldap-dev
+
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          persist-credentials: false
+
+      - name: 'initialize'
+        uses: github/codeql-action/init@192325c86100d080feab897ff886c34abd4c83a3 # v3
+        with:
+          languages: cpp
+          build-mode: manual
+
+      - name: 'build'
+        timeout-minutes: 10
+        run: |
+          cmake -B . -G Ninja
+          cmake --build . --verbose
+          src/curl -V
+
+      - name: 'perform analysis'
+        uses: github/codeql-action/analyze@192325c86100d080feab897ff886c34abd4c83a3 # v3

diff --git a/docs/tests/CI.md b/docs/tests/CI.md
index d101e3563c710d074b545cda6b5d8240f765c00a..40c87ba14e16708e99588c7556ed73e3bb07d863 100644 (file)
--- a/docs/tests/CI.md
+++ b/docs/tests/CI.md
@@ -31,8 +31,10 @@ Consider the following table while looking at pull request failures:
 
  | CI platform as shown in PR          | State  | What to look at next       |
  | ----------------------------------- | ------ | -------------------------- |
+ | CI / CodeQL                         | stable | quality check results      |
  | CI / fuzzing                        | stable | fuzzing results            |
  | CI / macos ...                      | stable | all errors and failures    |
+ | Code scanning results / CodeQL      | stable | quality check results      |
  | FreeBSD FreeBSD: ...                | stable | all errors and failures    |
  | LGTM analysis: Python               | stable | new findings               |
  | LGTM analysis:  C/C++               | stable | new findings               |
@@ -40,6 +42,7 @@ Consider the following table while looking at pull request failures:
  | AppVeyor                            | flaky  | all errors and failures    |
  | curl.curl (linux ...)               | stable | all errors and failures    |
  | curl.curl (windows ...)             | flaky  | repetitive errors/failures |
+ | CodeQL                              | stable | new findings               |
 
 Sometimes the tests fail due to a dependency service temporarily being offline
 or otherwise unavailable, for example package downloads. In this case you can
@@ -58,6 +61,7 @@ GitHub Actions runs the following tests:
 - macOS tests with a variety of different compilation options
 - Fuzz tests ([see the curl-fuzzer repo for more
   info](https://github.com/curl/curl-fuzzer)).
+- CodeQL static analysis
 
 These are each configured in different files in `.github/workflows`.