Skip to content

ci: add CodeQL Advanced analysis workflow#10

Merged
deku2026 merged 5 commits into
mainfrom
ci/add-codeql-analysis
Mar 3, 2026
Merged

ci: add CodeQL Advanced analysis workflow#10
deku2026 merged 5 commits into
mainfrom
ci/add-codeql-analysis

Conversation

@deku2026
Copy link
Copy Markdown

@deku2026 deku2026 commented Mar 3, 2026

Summary

Add CodeQL Advanced security analysis for C/C++ code.

Details

  • Language: C/C++ with manual build mode
  • Generator: Visual Studio 2026 (CodeQL needs to intercept compiler calls, incompatible with FASTBuild)
  • Schedule: Weekly on Wednesday 17:19 UTC + push to main + PRs
  • Caching: Reuses vcpkg installed packages cache (shared with Windows CI via
    estore-keys\ fallback)
  • Runner: \windows-2025-vs2026\ (same as Windows CI)

Differences from Windows CI workflow

Windows CI CodeQL
Generator FASTBuild Visual Studio 2026
FASTBuild cache Yes (4 GB) N/A
Build config RelWithDebInfo Release
Warnings as errors Yes No

Note: Branch trigger \ci/add-codeql-analysis\ is temporary for testing and should be removed before merge.

ci: add CodeQL Advanced analysis workflow for C++
47efb01 
- Uses Visual Studio 2026 generator (not FASTBuild) for CodeQL compatibility
- Runs on push to main, PRs, and weekly schedule (Wed 17:19 UTC)
- Reuses vcpkg cache from Windows CI workflow via restore-keys fallback
- Temporarily includes ci/add-codeql-analysis branch for testing

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings March 3, 2026 13:04
Copilot AI reviewed Mar 3, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds a new GitHub Actions workflow to run CodeQL Advanced security analysis for the repository’s C/C++ codebase on the Windows VS2026 runner, using a manual CMake/MSBuild build to enable CodeQL tracing.

Changes:

  • Introduces .github/workflows/codeql.yml to run CodeQL on pushes to main, PRs to main, and a weekly schedule.
  • Uses the windows-vs CMake preset (VS 2026 generator) and builds Release via cmake --build build/vs --config Release.
  • Adds vcpkg/Qt setup steps intended to mirror Windows CI dependency provisioning.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/workflows/codeql.yml Outdated

on:
push:
branches: [main, ci/add-codeql-analysis] # TODO: remove ci/add-codeql-analysis after testing
Copy link

Copilot AI Mar 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The push trigger still includes the temporary testing branch ci/add-codeql-analysis. Per the PR description this should be removed before merge; otherwise the workflow will keep running on that branch indefinitely.

Copilot uses AI. Check for mistakes.
Comment thread .github/workflows/codeql.yml
uses: actions/cache@v4
with:
path: C:\vcpkg\installed
key: vcpkg-x64-windows-${{ hashFiles('vcpkg.json') }}-v1
Copy link

Copilot AI Mar 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cache key uses hashFiles('vcpkg.json'), but this repo does not contain a vcpkg.json, so hashFiles will be empty and the key will effectively be constant (risking stale/incorrect caches when the vcpkg package list changes). Use a hash input that actually changes with the package set (e.g., include this workflow file like Windows CI does, or hash a file that defines the dependency list).

Suggested change
key: vcpkg-x64-windows-${{ hashFiles('vcpkg.json') }}-v1
key: vcpkg-x64-windows-${{ hashFiles('.github/workflows/codeql.yml') }}-v1

Copilot uses AI. Check for mistakes.
deku2026 and others added 4 commits March 3, 2026 23:17
ci: enable parallel MSBuild in CodeQL workflow
d25045c 
MSBuild defaults to single-threaded project building. Add --parallel
flag so CMake passes /m to MSBuild, enabling multi-core compilation.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
build(deps): bump GitHub Actions to latest versions
447f287 
- actions/checkout v4 → v6
- actions/cache v4 → v5
- actions/github-script v7 → v8
- actions/upload-artifact v4 → v7

Closes #6, closes #7, closes #8, closes #9

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
ci: restrict CodeQL to app/ and tools/, remove temp branch trigger
571b015 
- Add paths config to only analyze project source code (app/, tools/)
- third_party/ and foundation/ excluded — foundation has its own repo
- Remove temporary ci/add-codeql-analysis branch from push trigger

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
ci: remove pull_request trigger from CodeQL workflow
ee1cabf 
CodeQL now only runs on push to main (post-merge) and weekly schedule.
Avoids redundant scans on every PR.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@deku2026 deku2026 merged commit 88602a6 into main Mar 3, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@deku2026