From 88a33a43b96ffd4aa226b346806e70a46b36a19d Mon Sep 17 00:00:00 2001
From: Hartmut Kaiser <hartmut.kaiser@gmail.com>
Date: Sun, 12 May 2024 11:04:55 -0500
Subject: [PATCH] Create codeql.yml and msvc_analysis.yml

---
 .github/workflows/codeql.yml        | 97 +++++++++++++++++++++++++++++
 .github/workflows/msvc_analysis.yml | 72 +++++++++++++++++++++
 2 files changed, 169 insertions(+)
 create mode 100644 .github/workflows/codeql.yml
 create mode 100644 .github/workflows/msvc_analysis.yml

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
new file mode 100644
index 000000000000..ba73725574dc
--- /dev/null
+++ b/.github/workflows/codeql.yml
@@ -0,0 +1,97 @@
+# Copyright (c) 2024 The STE||AR Group
+#
+# SPDX-License-Identifier: BSL-1.0
+# Distributed under the Boost Software License, Version 1.0. (See accompanying
+# file LICENSE_1_0.txt or copy at http://www.boost.org/LICENSE_1_0.txt)
+
+name: "CodeQL"
+
+on:
+  push:
+    branches: [ "master", "release**" ]
+  pull_request:
+    branches: [ "master", "release**" ]
+#  schedule:
+#    - cron: '33 1 * * 4'
+
+jobs:
+  analyze:
+    name: Analyze (${{ matrix.language }})
+    runs-on: ubuntu-latest
+    timeout-minutes: 360
+    permissions:
+      # required for all workflows
+      security-events: write
+
+      # required to fetch internal or private CodeQL packs
+      packages: read
+
+      # only required for workflows in private repositories
+      actions: read
+      contents: read
+
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+        - language: c-cpp
+          build-mode: manual
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v3
+      with:
+        languages: ${{ matrix.language }}
+        build-mode: ${{ matrix.build-mode }}
+        queries: security-and-quality
+
+    - name: Install CMake
+      uses: ssrobins/install-cmake@v1
+
+    - name: Install Ninja
+      uses: seanmiddleditch/gha-setup-ninja@master
+
+    - if: matrix.build-mode == 'manual'
+      run: |
+          cmake . -Bbuild -GNinja \
+              -DCMAKE_BUILD_TYPE=Release \
+              -DHPX_WITH_MALLOC=system \
+              -DHPX_WITH_FETCH_ASIO=ON \
+              -DHPX_WITH_FETCH_BOOST=ON \
+              -DHPX_WITH_FETCH_HWLOC=ON \
+              -DHPX_WITH_EXAMPLES=OFF \
+              -DHPX_WITH_TESTS=OFF
+          cmake --build build --target all
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v3
+      with:
+        category: "/language:${{matrix.language}}"
+        output: sarif-results
+        upload: failure-only    # disable the upload here - we will upload in a different action
+
+    - name: Filter SARIF
+      uses: advanced-security/filter-sarif@v1
+      with:
+        # filter out all files from downloaded dependencies
+        patterns: |
+          -**/_deps/*
+        input: sarif-results/cpp.sarif
+        output: sarif-results/cpp.sarif
+
+    - name: Upload SARIF
+      uses: github/codeql-action/upload-sarif@v3
+      with:
+        sarif_file: sarif-results/cpp.sarif
+
+#    # optional: for debugging the uploaded sarif
+#    - name: Upload SARIF as a Build Artifact
+#      uses: actions/upload-artifact@v3
+#      with:
+#        name: sarif-results
+#        path: sarif-results
+#        retention-days: 1
diff --git a/.github/workflows/msvc_analysis.yml b/.github/workflows/msvc_analysis.yml
new file mode 100644
index 000000000000..c11a20a4fe07
--- /dev/null
+++ b/.github/workflows/msvc_analysis.yml
@@ -0,0 +1,72 @@
+# Copyright (c) 2024 The STE||AR Group
+#
+# SPDX-License-Identifier: BSL-1.0
+# Distributed under the Boost Software License, Version 1.0. (See accompanying
+# file LICENSE_1_0.txt or copy at http://www.boost.org/LICENSE_1_0.txt)
+
+name: Microsoft C++ Code Analysis
+
+on:
+  push:
+    branches: [ "master", "release**" ]
+  pull_request:
+    branches: [ "master" ]
+#  schedule:
+#    - cron: '36 12 * * 4'
+
+env:
+  # Path to the CMake build directory.
+  build: 'build'
+
+permissions:
+  contents: read
+
+jobs:
+  analyze:
+    permissions:
+      contents: read            # for actions/checkout to fetch code
+      security-events: write    # for github/codeql-action/upload-sarif to upload SARIF results
+      actions: read             # only required for a private repository by github/codeql-action/upload-sarif
+                                # to get the Action run status
+    name: Analyze
+    runs-on: windows-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Configure CMake
+        shell: bash
+        run: |
+            cmake . -B ${{ env.build }} \
+              -DCMAKE_BUILD_TYPE=Release \
+              -DHPX_WITH_MALLOC=system \
+              -DHPX_WITH_FETCH_ASIO=ON \
+              -DHPX_WITH_FETCH_BOOST=ON \
+              -DHPX_WITH_FETCH_HWLOC=ON \
+              -DHPX_WITH_EXAMPLES=OFF \
+              -DHPX_WITH_TESTS=OFF
+
+      - name: Initialize MSVC Code Analysis
+        uses: microsoft/msvc-code-analysis-action@v0.1.1
+        # Provide a unique ID to access the sarif output path
+        id: run-analysis
+        with:
+          cmakeBuildDirectory: ${{ env.build }}
+          buildConfiguration: Release
+          # Ruleset file that will determine what checks will be run
+          ruleset: NativeRecommendedRules.ruleset
+          ignoredPaths:  ${{ env.build }}
+
+      # Upload SARIF file to GitHub Code Scanning Alerts
+      - name: Upload SARIF to GitHub
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: ${{ steps.run-analysis.outputs.sarif }}
+
+#      # Upload SARIF file as an Artifact to download and view
+#      - name: Upload SARIF as an Artifact
+#        uses: actions/upload-artifact@v3
+#        with:
+#          name: sarif-file
+#          path: ${{ steps.run-analysis.outputs.sarif }}