ci: replace settings-generated CodeQL job with containerized workflow

[Copilot]

The repository-settings-generated CodeQL job was failing during workspace cleanup on the self-hosted runner due to permission errors on build artifacts (hd/rust/hd, test/test, test/test_maker, .git/FETCH_HEAD) created with mismatched ownership. No checked-in workflow file existed to fix or override this.

Changes

• .github/workflows/codeql.yml (new): Checked-in CodeQL workflow for C/C++ analysis, replacing the settings-generated setup
  • Runs the entire job (checkout → init → build → analyze) inside a buildpack-deps:jammy container, matching the existing C test workflow — eliminates the ownership/permission drift on the host workspace
  • Triggers on push/PR to main and weekly schedule
  • Uses github/codeql-action/{init,analyze}@v4 and actions/checkout@v6
  • Sets defaults.run.shell: bash (container jobs default to sh)
  • Build: make clean || true && make -j"$(nproc)"

jobs:
  analyze:
    runs-on: self-hosted
    container:
      image: buildpack-deps:jammy
    steps:
      - uses: actions/checkout@v6
      - uses: github/codeql-action/init@v4
        with:
          languages: cpp
      - run: |
          make clean || true  # tolerate missing or no-op clean target
          make -j"$(nproc)"
      - uses: github/codeql-action/analyze@v4

The repository-settings-generated CodeQL job should be disabled once this workflow is active to avoid duplicate runs.

[github-advanced-security]

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

• The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
• Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
• You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

[lshqqytiger]

@copilot There are several errors including "git call failed" in the CI log https://github.com/sdbx/Utils/actions/runs/27260741265/job/80505580578. Is this fine?

[Copilot]

@copilot There are several errors including "git call failed" in the CI log https://github.com/sdbx/Utils/actions/runs/27260741265/job/80505580578. Is this fine?

The job completed successfully (CodeQL job status was success.), but there are two types of noise worth explaining:

git call failed: detected dubious ownership — Git's CVE-2022-24765 protection rejects the mounted workspace because the container runs as root but files are owned by the host runner user. CodeQL falls back gracefully, but it's noisy. Fixed in the latest commit (ci: add safe.directory config…) by adding git config --global --add safe.directory '*' before checkout.

ld.so: cannot preload ${LIB}_${PLATFORM}_trace.so — These only appear during post-job Docker exec probes (Actions running cat /etc/*release to identify the container OS). LD_PRELOAD set by CodeQL's build tracer is still in the environment at that point. This is harmless noise and doesn't affect analysis results.

[Copilot]

Pull request overview

This PR adds a checked-in GitHub Actions CodeQL workflow for C/C++ that runs entirely inside a buildpack-deps:jammy container on the self-hosted runner, aiming to eliminate workspace cleanup permission/ownership issues caused by host/container artifact ownership drift.

Changes:

• Adds a new .github/workflows/codeql.yml workflow to replace the repository-settings-generated CodeQL configuration.
• Runs checkout → CodeQL init → make build → CodeQL analyze inside a container to keep filesystem ownership consistent.
• Schedules CodeQL on pushes/PRs to main and a weekly cron.