From d1d1cb5289541c583738dc0dd355a62e0ac5b69c Mon Sep 17 00:00:00 2001
From: Felix Scheffler <felix.scheffler@zeiss.com>
Date: Tue, 17 Oct 2023 23:11:43 +0200
Subject: [PATCH] Add CodeQL

---
 .github/actions/cmake-build/action.yml | 57 +++++++++++++++++++++++
 .github/workflows/cmake.yml            | 63 +++++++-------------------
 .github/workflows/codeql.yml           | 57 +++++++++++++++++++++++
 3 files changed, 130 insertions(+), 47 deletions(-)
 create mode 100644 .github/actions/cmake-build/action.yml
 create mode 100644 .github/workflows/codeql.yml

diff --git a/.github/actions/cmake-build/action.yml b/.github/actions/cmake-build/action.yml
new file mode 100644
index 0000000..3076373
--- /dev/null
+++ b/.github/actions/cmake-build/action.yml
@@ -0,0 +1,57 @@
+---
+name: 'CMake-Build'
+description: 'Install Dependencies + Configure CMake + Build'
+inputs:
+  path-cache:
+    description: 'Path to vcpkg cache directory'
+    required: true
+  path-toolchain:
+    description: 'Path to vcpkg tool chain file'
+    required: true
+  os-id:
+    description: 'Operating System Identifier'
+    required: true
+  build-type:
+    description: 'Build Configuration'
+    required: true
+  package:
+    description: 'Using package manager for external dependencies'
+    required: true
+  platform:
+    description: 'OS platform'
+    required: true
+runs:
+  using: "composite"
+  steps:
+    - name: Cache vcpkg
+      uses: actions/cache@v3
+      if: inputs.package == 'ON'
+      with:
+        path: ${{inputs.path-cache}}
+        key: vcpkg-x64-${{inputs.os-id}}-
+        restore-keys: vcpkg-x64-${{inputs.os-id}}-
+
+    - name: Set toolchain path
+      shell: bash
+      run: echo "TOOLCHAIN_PATH=${{inputs.path-toolchain}}" >> "$GITHUB_ENV"
+
+    - name: Install dependencies
+      if: inputs.package == 'ON'
+      shell: bash
+      run: |
+         # We install the following packages: eigen3, catch2, cli11. Installing them with vcpkg (and caching them)
+         # is faster than downloading and building them from source (which is the default behavior of the CZICompress-build-system).
+         vcpkg install --triplet ${{inputs.platform}} eigen3 catch2 cli11
+
+    - name: Configure CMake
+      shell: bash
+      # Configure CMake in a 'build' subdirectory. `CMAKE_BUILD_TYPE` is only required if you are using a single-configuration generator such as make.
+      # See https://cmake.org/cmake/help/latest/variable/CMAKE_BUILD_TYPE.html?highlight=cmake_build_type
+      #
+      # Instruct to use eigen3, cli11 and catch2 from vcpkg - this way the build is faster (both are installed above with vcpkg-package-manager, which is also cached).
+      run: cmake -B ${{github.workspace}}/build -DCMAKE_BUILD_TYPE=${{inputs.build-type}} -DLIBCZI_BUILD_PREFER_EXTERNALPACKAGE_EIGEN3=${{inputs.package}} -DLIBCZI_BUILD_PREFER_EXTERNALPACKAGE_EIGEN3=${{inputs.package}} -DCZICOMPRESS_BUILD_PREFER_EXTERNALPACKAGE_CATCH2=${{inputs.package}} -DCZICOMPRESS_BUILD_PREFER_EXTERNALPACKAGE_CLI11=${{inputs.package}} -DCMAKE_TOOLCHAIN_FILE=${{inputs.path-toolchain}} -DVCPKG_TARGET_TRIPLET=${{inputs.platform}}
+
+    - name: Build software
+      shell: bash
+      # Build your program with the given configuration
+      run: cmake --build ${{github.workspace}}/build --config ${{inputs.build-type}}
diff --git a/.github/workflows/cmake.yml b/.github/workflows/cmake.yml
index 5098cce..a5a7582 100644
--- a/.github/workflows/cmake.yml
+++ b/.github/workflows/cmake.yml
@@ -43,13 +43,20 @@ jobs:
             name: windows-64-release-msvc-package-on,
             os: windows-latest,
             platform: x64-windows-static,
-            package: ON
+            package: ON,
+            path-cache: '${{ github.workspace }}\vcpkg\installed',
+            path-toolchain: C:/vcpkg/scripts/buildsystems/vcpkg.cmake,
+            os-id: 'linux',
+
           }
           - {
             name: ubuntu-release-package-on,
             os: ubuntu-latest,
             platform: x64-linux,
-            package: ON
+            package: ON,
+            path-cache: '/usr/local/share/vcpkg/installed',
+            path-toolchain: /usr/local/share/vcpkg/scripts/buildsystems/vcpkg.cmake,
+            os-id: 'windows'
           }
 
     steps:
@@ -57,52 +64,14 @@ jobs:
       - name: Checkout the source codes.
         uses: actions/checkout@v3
 
-      - name: Cache vcpkg for Linux if use of external packages is set ON
-        if: matrix.config.os == 'ubuntu-latest' && matrix.config.package == 'ON'
-        uses: actions/cache@v3
-        with:
-          path: '/usr/local/share/vcpkg/installed'
-          key: vcpkg-x64-linux-
-          restore-keys: vcpkg-x64-linux-
-
-      - name: Cache vcpkg for Windows if use of external packages is set ON
-        if: matrix.config.os == 'windows-latest' && matrix.config.package == 'ON'
-        uses: actions/cache@v3
+      - uses: ./.github/actions/cmake-build
         with:
-          path: ${{ github.workspace }}\vcpkg\installed
-          key: vcpkg-x64-windows-
-          restore-keys: vcpkg-x64-windows-
-
-      - name: Set toolchain path for Linux
-        if: matrix.config.os == 'ubuntu-latest'
-        shell: bash
-        run: echo "TOOLCHAIN_PATH=/usr/local/share/vcpkg/scripts/buildsystems/vcpkg.cmake" >> "$GITHUB_ENV"
-
-      - name: Set toolchain path for Windows
-        if: matrix.config.os == 'windows-latest'
-        shell: bash
-        run: echo "TOOLCHAIN_PATH=C:/vcpkg/scripts/buildsystems/vcpkg.cmake" >> "$GITHUB_ENV"
-
-      - name: Install dependencies if use of external packages is set ON
-        if: matrix.config.package == 'ON'
-        shell: bash
-        run: |
-           # We install the following packages: eigen3, catch2, cli11. Installing them with vcpkg (and caching them)
-           # is faster than downloading and building them from source (which is the default behavior of the CZICompress-build-system).
-           vcpkg install --triplet ${{matrix.config.platform}} eigen3 catch2 cli11
-
-      - name: Configure CMake
-        # Configure CMake in a 'build' subdirectory. `CMAKE_BUILD_TYPE` is only required if you are using a single-configuration generator such as make.
-        # See https://cmake.org/cmake/help/latest/variable/CMAKE_BUILD_TYPE.html?highlight=cmake_build_type
-        #
-        # Instruct to use eigen3, cli11 and catch2 from vcpkg - this way the build is faster (both are installed above with vcpkg-package-manager, which is also cached).
-        run: |
-           cmake -B ${{github.workspace}}/build -DCMAKE_BUILD_TYPE=${{env.BUILD_TYPE}} -DLIBCZI_BUILD_PREFER_EXTERNALPACKAGE_EIGEN3=${{matrix.config.package}}  -DLIBCZI_BUILD_PREFER_EXTERNALPACKAGE_EIGEN3=${{matrix.config.package}} -DCZICOMPRESS_BUILD_PREFER_EXTERNALPACKAGE_CATCH2=${{matrix.config.package}} -DCZICOMPRESS_BUILD_PREFER_EXTERNALPACKAGE_CLI11=${{matrix.config.package}} -DCMAKE_TOOLCHAIN_FILE=${{env.TOOLCHAIN_PATH}} -DVCPKG_TARGET_TRIPLET=${{matrix.config.platform}}
-
-      - name: Build software
-        # Build your program with the given configuration
-        run: |
-           cmake --build ${{github.workspace}}/build --config ${{env.BUILD_TYPE}}
+          path-cache: ${{matrix.config.path-cache}}
+          path-toolchain: ${{matrix.config.path-toolchain}}
+          os-id: ${{matrix.config.os-id}}
+          build-type: ${{env.BUILD_TYPE}}
+          package: ${{matrix.config.package}}
+          platform: ${{matrix.config.platform}} 
 
       - name: Run unit tests
         working-directory: ${{github.workspace}}/build
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
new file mode 100644
index 0000000..f1c435e
--- /dev/null
+++ b/.github/workflows/codeql.yml
@@ -0,0 +1,57 @@
+---
+name: "CodeQL"
+
+on:
+  push:
+    branches: ["main"]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: ["main"]
+  schedule:
+    - cron: "22 16 * * 4"
+
+permissions:
+  actions: read
+  contents: read
+  security-events: write
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: ["cpp"]
+        # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+
+      # Initializes the CodeQL tools for scanning.
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v2
+        with:
+          languages: ${{ matrix.language }}
+          # If you wish to specify custom queries, you can do so here or in a config file.
+          # By default, queries listed here will override any specified in a config file.
+          # Prefix the list here with "+" to use these queries and those in the config file.
+
+          # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
+          # queries: security-extended,security-and-quality
+
+      - uses: ./.github/actions/cmake-build
+        with:
+          path-cache: '/usr/local/share/vcpkg/installed'
+          path-toolchain: '/usr/local/share/vcpkg/scripts/buildsystems/vcpkg.cmake'
+          os-id: 'linux'
+          build-type: Release
+          package: ON
+          platform: x64-linux
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v2
+        with:
+          category: "/language:${{matrix.language}}"