ZEISS · ptahmose · Oct 23, 2023 · Oct 17, 2023 · Oct 17, 2023 · Oct 17, 2023
diff --git a/.github/actions/cmake-build/action.yml b/.github/actions/cmake-build/action.yml
@@ -0,0 +1,57 @@
+---
+name: 'CMake-Build'
+description: 'Install Dependencies + Configure CMake + Build'
+inputs:
+  path-cache:
+    description: 'Path to vcpkg cache directory'
+    required: true
+  path-toolchain:
+    description: 'Path to vcpkg tool chain file'
+    required: true
+  os-id:
+    description: 'Operating System Identifier'
+    required: true
+  build-type:
+    description: 'Build Configuration'
+    required: true
+  package:
+    description: 'Using package manager for external dependencies'
+    required: true
+  platform:
+    description: 'OS platform'
+    required: true
+runs:
+  using: "composite"
+  steps:
+    - name: Cache vcpkg
+      uses: actions/cache@v3
+      if: inputs.package == 'ON'
+      with:
+        path: ${{inputs.path-cache}}
+        key: vcpkg-x64-${{inputs.os-id}}-
+        restore-keys: vcpkg-x64-${{inputs.os-id}}-
+
+    - name: Set toolchain path
+      shell: bash
+      run: echo "TOOLCHAIN_PATH=${{inputs.path-toolchain}}" >> "$GITHUB_ENV"
+
+    - name: Install dependencies
+      if: inputs.package == 'ON'
+      shell: bash
+      run: |
+         # We install the following packages: eigen3, catch2, cli11. Installing them with vcpkg (and caching them)
+         # is faster than downloading and building them from source (which is the default behavior of the CZICompress-build-system).
+         vcpkg install --triplet ${{inputs.platform}} eigen3 catch2 cli11
+
+    - name: Configure CMake
+      shell: bash
+      # Configure CMake in a 'build' subdirectory. `CMAKE_BUILD_TYPE` is only required if you are using a single-configuration generator such as make.
+      # See https://cmake.org/cmake/help/latest/variable/CMAKE_BUILD_TYPE.html?highlight=cmake_build_type
+      #
+      # Instruct to use eigen3, cli11 and catch2 from vcpkg - this way the build is faster (both are installed above with vcpkg-package-manager, which is also cached).
+      run: cmake -B build -DCMAKE_BUILD_TYPE=${{inputs.build-type}} -DLIBCZI_BUILD_PREFER_EXTERNALPACKAGE_EIGEN3=${{inputs.package}} -DLIBCZI_BUILD_PREFER_EXTERNALPACKAGE_EIGEN3=${{inputs.package}} -DCZICOMPRESS_BUILD_PREFER_EXTERNALPACKAGE_CATCH2=${{inputs.package}} -DCZICOMPRESS_BUILD_PREFER_EXTERNALPACKAGE_CLI11=${{inputs.package}} -DCMAKE_TOOLCHAIN_FILE=${{inputs.path-toolchain}} -DVCPKG_TARGET_TRIPLET=${{inputs.platform}}
+
+    - name: Build software
+      shell: bash
+      # Build your program with the given configuration
+      run: cmake --build build --config ${{inputs.build-type}}
diff --git a/.github/workflows/cmake.yml b/.github/workflows/cmake.yml
@@ -43,66 +43,34 @@ jobs:
             name: windows-64-release-msvc-package-on,
             os: windows-latest,
             platform: x64-windows-static,
-            package: ON
+            package: ON,
+            path-cache: '${{ github.workspace }}\vcpkg\installed',
+            path-toolchain: 'C:/vcpkg/scripts/buildsystems/vcpkg.cmake',
+            os-id: 'linux'
           }
           - {
             name: ubuntu-release-package-on,
             os: ubuntu-latest,
             platform: x64-linux,
-            package: ON
+            package: ON,
+            path-cache: '/usr/local/share/vcpkg/installed',
+            path-toolchain: '/usr/local/share/vcpkg/scripts/buildsystems/vcpkg.cmake',
+            os-id: 'windows'
           }
 
     steps:
 
       - name: Checkout the source codes.
         uses: actions/checkout@v3
 
-      - name: Cache vcpkg for Linux if use of external packages is set ON
-        if: matrix.config.os == 'ubuntu-latest' && matrix.config.package == 'ON'
-        uses: actions/cache@v3
+      - uses: ./.github/actions/cmake-build
         with:
-          path: '/usr/local/share/vcpkg/installed'
-          key: vcpkg-x64-linux-
-          restore-keys: vcpkg-x64-linux-
-
-      - name: Cache vcpkg for Windows if use of external packages is set ON
-        if: matrix.config.os == 'windows-latest' && matrix.config.package == 'ON'
-        uses: actions/cache@v3
-        with:
-          path: ${{ github.workspace }}\vcpkg\installed
-          key: vcpkg-x64-windows-
-          restore-keys: vcpkg-x64-windows-
-
-      - name: Set toolchain path for Linux
-        if: matrix.config.os == 'ubuntu-latest'
-        shell: bash
-        run: echo "TOOLCHAIN_PATH=/usr/local/share/vcpkg/scripts/buildsystems/vcpkg.cmake" >> "$GITHUB_ENV"
-
-      - name: Set toolchain path for Windows
-        if: matrix.config.os == 'windows-latest'
-        shell: bash
-        run: echo "TOOLCHAIN_PATH=C:/vcpkg/scripts/buildsystems/vcpkg.cmake" >> "$GITHUB_ENV"
-
-      - name: Install dependencies if use of external packages is set ON
-        if: matrix.config.package == 'ON'
-        shell: bash
-        run: |
-           # We install the following packages: eigen3, catch2, cli11. Installing them with vcpkg (and caching them)
-           # is faster than downloading and building them from source (which is the default behavior of the CZICompress-build-system).
-           vcpkg install --triplet ${{matrix.config.platform}} eigen3 catch2 cli11
-
-      - name: Configure CMake
-        # Configure CMake in a 'build' subdirectory. `CMAKE_BUILD_TYPE` is only required if you are using a single-configuration generator such as make.
-        # See https://cmake.org/cmake/help/latest/variable/CMAKE_BUILD_TYPE.html?highlight=cmake_build_type
-        #
-        # Instruct to use eigen3, cli11 and catch2 from vcpkg - this way the build is faster (both are installed above with vcpkg-package-manager, which is also cached).
-        run: |
-           cmake -B ${{github.workspace}}/build -DCMAKE_BUILD_TYPE=${{env.BUILD_TYPE}} -DLIBCZI_BUILD_PREFER_EXTERNALPACKAGE_EIGEN3=${{matrix.config.package}}  -DLIBCZI_BUILD_PREFER_EXTERNALPACKAGE_EIGEN3=${{matrix.config.package}} -DCZICOMPRESS_BUILD_PREFER_EXTERNALPACKAGE_CATCH2=${{matrix.config.package}} -DCZICOMPRESS_BUILD_PREFER_EXTERNALPACKAGE_CLI11=${{matrix.config.package}} -DCMAKE_TOOLCHAIN_FILE=${{env.TOOLCHAIN_PATH}} -DVCPKG_TARGET_TRIPLET=${{matrix.config.platform}}
-
-      - name: Build software
-        # Build your program with the given configuration
-        run: |
-           cmake --build ${{github.workspace}}/build --config ${{env.BUILD_TYPE}}
+          path-cache: ${{matrix.config.path-cache}}
+          path-toolchain: ${{matrix.config.path-toolchain}}
+          os-id: ${{matrix.config.os-id}}
+          build-type: ${{env.BUILD_TYPE}}
+          package: ${{matrix.config.package}}
+          platform: ${{matrix.config.platform}}
 
       - name: Run unit tests
         working-directory: ${{github.workspace}}/build

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -0,0 +1,57 @@
+---
+name: "CodeQL"
+
+on:
+  push:
+    branches: ["main"]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: ["main"]
+  schedule:
+    - cron: "22 16 * * 4"
+
+permissions:
+  actions: read
+  contents: read
+  security-events: write
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: ["cpp"]
+        # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+
+      # Initializes the CodeQL tools for scanning.
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v2
+        with:
+          languages: ${{ matrix.language }}
+          # If you wish to specify custom queries, you can do so here or in a config file.
+          # By default, queries listed here will override any specified in a config file.
+          # Prefix the list here with "+" to use these queries and those in the config file.
+
+          # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
+          # queries: security-extended,security-and-quality
+
+      - uses: ./.github/actions/cmake-build
+        with:
+          path-cache: '/usr/local/share/vcpkg/installed'
+          path-toolchain: '/usr/local/share/vcpkg/scripts/buildsystems/vcpkg.cmake'
+          os-id: 'linux'
+          build-type: Release
+          package: ON
+          platform: x64-linux
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v2
+        with:
+          category: "/language:${{matrix.language}}"
diff --git a/README.md b/README.md
@@ -2,6 +2,7 @@
 [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
 [![REUSE status](https://api.reuse.software/badge/github.com/ZEISS/czicompress)](https://api.reuse.software/info/github.com/ZEISS/czicompress)
 [![CMake](https://github.com/ZEISS/czicompress/actions/workflows/cmake.yml/badge.svg?branch=main&event=push)](https://github.com/ZEISS/czicompress/actions/workflows/cmake.yml)
+[![CodeQL](https://github.com/ZEISS/czicompress/actions/workflows/codeql.yml/badge.svg?branch=main&event=push)](https://github.com/ZEISS/czicompress/actions/workflows/codeql.yml)
 [![MegaLinter](https://github.com/ZEISS/czicompress/actions/workflows/mega-linter.yml/badge.svg?branch=main&event=push)](https://github.com/ZEISS/czicompress/actions/workflows/mega-linter.yml)
 
 Reduce the size of existing CZI files by converting them to zstd-compressed CZI files.