Merge branch 'codeql_nobuild'

lucasssvaz · lucasssvaz · commit 7873bc5f2904 · 2025-07-25T14:50:06.000-03:00
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
@@ -11,6 +11,7 @@
 
 # CI
 /.github/ @lucasssvaz @me-no-dev @P-R-O-C-H-Y
+/.github/codeql/ @lucasssvaz
 /.gitlab/ @lucasssvaz
 /tests/ @lucasssvaz @P-R-O-C-H-Y
 
diff --git a/.github/codeql/codeql-config.yml b/.github/codeql/codeql-config.yml
@@ -0,0 +1,23 @@
+name: "CodeQL config"
+
+packs:
+  - trailofbits/cpp-queries
+  - githubsecuritylab/codeql-cpp-queries
+  - githubsecuritylab/codeql-python-queries
+
+queries:
+  - uses: security-extended
+  - uses: security-and-quality
+
+query-filters:
+  - exclude:
+      query path:
+        - /^experimental\/.*/
+  - exclude:
+      tags contain:
+        - experimental
+  - exclude:
+      problem.severity:
+        - recommendation
+  - exclude:
+      id: tob/cpp/use-of-legacy-algorithm
diff --git a/.github/workflows/codeql_nobuild.yml b/.github/workflows/codeql_nobuild.yml
@@ -0,0 +1,61 @@
+name: CodeQL No-Build Analysis
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: "0 4 * * SUN"
+  pull_request:
+    paths:
+      - "*.py"
+      - "*.yml"
+      - "*.c"
+      - "*.h"
+      - "*.cpp"
+      - "*.hpp"
+      - "*.ino"
+
+jobs:
+  codeql-analysis:
+    name: CodeQL ${{ matrix.language }} Analysis
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        language:
+          - python
+          - actions
+          - cpp
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@181d5eefc20863364f96762470ba6f862bdef56b # v3.29.2
+        with:
+          languages: ${{ matrix.language }}
+          config-file: ./.github/codeql/codeql-config.yml
+          build-mode: none
+
+      - name: Process .ino files
+        if: matrix.language == 'cpp'
+        run: |
+          # Find all .ino files and process them
+          find . -name "*.ino" -type f | while read -r file; do
+            echo "Processing $file"
+
+            # Create new .cpp file with Arduino.h include
+            echo "#include <Arduino.h>" > "${file%.ino}.cpp"
+
+            # Append the original content
+            cat "$file" >> "${file%.ino}.cpp"
+
+            # Remove the original .ino file
+            rm "$file"
+
+            echo "Converted $file to ${file%.ino}.cpp"
+          done
+
+      - name: Run CodeQL Analysis
+        uses: github/codeql-action/analyze@181d5eefc20863364f96762470ba6f862bdef56b # v3.29.2
+        with:
+          category: "Analysis: ${{ matrix.language }}"
