Add Github Actions workflow for CodeQL analysis

leonlynch · leonlynch · commit c01b472d9bb5 · 2025-11-20T20:41:33.000+01:00
This workflow will also run on the 20th of every month in case future
improvements to CodeQL can discover new vulnerabilities.
diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml
@@ -0,0 +1,56 @@
+##############################################################################
+# Copyright 2025 Leon Lynch
+#
+# This file is licensed under the terms of the LGPL v2.1 license.
+# See LICENSE file.
+##############################################################################
+
+name: CodeQL
+
+on:
+  push:
+  pull_request:
+    branches: [ "master" ]
+  schedule:
+    - cron: '15 4 20 * *'
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    timeout-minutes: 360
+    permissions:
+      security-events: write
+      packages: read
+      actions: read
+      contents: read
+
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v4
+      with:
+        submodules: recursive
+
+    - name: Install dependencies
+      run: |
+        sudo apt-get update
+        sudo apt-get install -y libmbedtls-dev libboost-locale-dev iso-codes libjson-c-dev libpcsclite-dev qtbase5-dev
+
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v4
+      with:
+        languages: c-cpp
+        build-mode: manual
+        queries: security-and-quality
+
+    - name: Build
+      run: |
+        cmake -B build \
+          -DCMAKE_BUILD_TYPE="Debug" \
+          -DBUILD_EMV_DECODE=YES \
+          -DBUILD_EMV_TOOL=YES \
+          -DBUILD_EMV_VIEWER=YES
+        cmake --build build -j 4
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v4
