ci: update CodeQL workflow (#956)

sebthom · web-flow · commit ec97899b0176 · 2025-11-15T12:48:41.000+01:00
diff --git a/.github/codeql/codeql-config.yml b/.github/codeql/codeql-config.yml
@@ -0,0 +1,15 @@
+# https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#using-a-custom-configuration-file
+name: "CodeQL config"
+queries:
+- uses: security-and-quality
+- uses: ./.github/codeql/queries/java  # load our custom CodeQL rules
+
+query-filters:
+- exclude:
+    # Exclude the built-in shadowing rule.
+    # We intentionally use final locals that copy instance fields
+    # (e.g. `final var name = this.name`) to support Eclipse null analysis
+    # without introducing noisy renaming. This pattern is deliberate and safe,
+    # so the built-in rule is disabled in favor of our custom rule
+    # (local-shadows-instance-field.ql).
+    id: java/local-shadows-field
diff --git a/.github/codeql/queries/java/local-shadows-instance-field.ql b/.github/codeql/queries/java/local-shadows-instance-field.ql
@@ -0,0 +1,47 @@
+/**
+ * @name Local variable shadows instance field (except final this-copy)
+ * @description Flags local variables that shadow an instance field, unless they are final
+ *              and initialized directly from that same field (for example `final var name = this.name;`).
+ * @id custom-java/local-shadows-instance-field-strict
+ * @kind problem
+ * @problem.severity warning
+ * @precision medium
+ * @tags correctness readability maintainability
+ */
+import java
+import semmle.code.java.Member
+import semmle.code.java.Variable
+
+/**
+ * True if this local variable is an allowed shadowing of the given instance field:
+ *
+ *   final var name = this.name;
+ *   final var name = name;       // implicit this
+ */
+predicate allowedShadowing(LocalVariableDecl local, Field field) {
+  local.isFinal() and
+  exists(FieldAccess fa |
+    fa = local.getInitializer().getUnderlyingExpr().(FieldAccess) and
+    fa.getField() = field and
+    fa.isOwnFieldAccess()
+  )
+}
+
+from LocalVariableDecl local, Field field, Callable c
+where
+  // same simple name
+  local.getName() = field.getName() and
+
+  // only consider instance fields
+  not field.isStatic() and
+
+  // local is inside a callable of a class related to the field's declaring type
+  c = local.getCallable() and
+  c.getDeclaringType().getASupertype*() = field.getDeclaringType() and
+
+  // shadowing is NOT in the allowed final-this-copy form
+  not allowedShadowing(local, field)
+select local,
+  "Local variable '" + local.getName() + "' shadows instance field '" +
+  field.getQualifiedName() +
+  "'. Shadowing is only allowed for 'final' locals directly initialized from this field."
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -10,6 +10,7 @@ on:  # https://docs.github.com/en/actions/reference/workflows-and-actions/events
     paths-ignore:
     - '**/*.md'
     - '.github/*.yml'
+    - '.github/workflows/bump-version.yml'
     - '.github/workflows/codeql.yml'
     - '.github/workflows/licensecheck.yml'
     - '.github/workflows/validate_pr.yml'
@@ -23,6 +24,7 @@ on:  # https://docs.github.com/en/actions/reference/workflows-and-actions/events
     - '**/*.md'
     - '.github/*.yml'
     - '.github/workflows/bump-version.yml'
+    - '.github/workflows/codeql.yml'
     - '.github/workflows/licensecheck.yml'
     - '.github/workflows/validate_pr.yml'
     - '**/.project'
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -2,15 +2,13 @@
 name: CodeQL
 
 on:  # https://docs.github.com/en/actions/reference/workflows-and-actions/events-that-trigger-workflows
+  schedule:
+    # https://docs.github.com/en/actions/reference/workflows-and-actions/events-that-trigger-workflows#schedule
+    - cron: "30 18 * * 1"  # Mondays 18:30 UTC
   push:
     branches: [ "main" ]
     paths-ignore:
     - '**/*.md'
-    - '.github/*.yml'
-    - '.github/workflows/build.yml'
-    - '.github/workflows/bump-version.yml'
-    - '.github/workflows/licensecheck.yml'
-    - '.github/workflows/validate_pr.yml'
     - '**/.project'
     - '**/.settings/*.prefs'
     - '.gitignore'
@@ -20,11 +18,6 @@ on:  # https://docs.github.com/en/actions/reference/workflows-and-actions/events
     branches: [ "main" ]
     paths-ignore:
     - '**/*.md'
-    - '.github/*.yml'
-    - '.github/workflows/build.yml'
-    - '.github/workflows/bump-version.yml'
-    - '.github/workflows/licensecheck.yml'
-    - '.github/workflows/validate_pr.yml'
     - '**/.project'
     - '**/.settings/*.prefs'
     - '.gitignore'
@@ -34,20 +27,35 @@ on:  # https://docs.github.com/en/actions/reference/workflows-and-actions/events
     # https://docs.github.com/en/actions/reference/workflows-and-actions/events-that-trigger-workflows#workflow_dispatch
 
 
+defaults:
+  run:
+    shell: bash
+
+
+env:
+  JAVA_VERSION: 21
+
+
 jobs:
 
   ###########################################################
   analyze:
   ###########################################################
 
+    concurrency:
+      group: codeql-${{ github.workflow }}-${{ github.ref }}-${{ matrix.language }}
+      cancel-in-progress: true
+
     strategy:
       fail-fast: false
       matrix:
         include:
         # build-mode: https://github.com/github/codeql-action#build-modes
-        - language: java-kotlin
+        - language: actions
           build-mode: none
-        - language: javascript-typescript
+        - language: java
+          build-mode: manual
+        - language: javascript
           build-mode: none
         - language: python
           build-mode: none
@@ -82,15 +90,47 @@ jobs:
       uses: actions/checkout@v5  # https://github.com/actions/checkout
 
 
-    # CodeQL executes https://github.com/ferstl/depgraph-maven-plugin
+    - name: "Install: JDK 21 for Compilation ☕"
+      uses: actions/setup-java@v5  # https://github.com/actions/setup-java
+      if: matrix.language == 'java'
+      with:
+        distribution: temurin
+        java-version: 21
+
+
     - name: "Install: JDK 25 for Maven/Tycho ☕"
       uses: actions/setup-java@v5  # https://github.com/actions/setup-java
-      if: ${{ matrix.language }} == 'java'
+      if: matrix.language == 'java'
       with:
         distribution: temurin
         java-version: 25
 
 
+    - name: "Cache: Local Maven Repository"
+      uses: actions/cache/restore@v4
+      if: matrix.language == 'java'
+      with:
+        # Excluded sub directory not working https://github.com/actions/toolkit/issues/713
+        path: |
+          ~/.m2/repository/*
+          !~/.m2/repository/.cache/tycho
+          !~/.m2/repository/.meta/p2-artifacts.properties
+          !~/.m2/repository/p2
+          !~/.m2/repository/*SNAPSHOT*
+        key: ${{ runner.os }}-${{ runner.arch }}-repo-mvn-${{ hashFiles('**/pom.xml') }}
+
+
+    - name: "Cache: Local Tycho Repository"
+      uses: actions/cache/restore@v4
+      if: matrix.language == 'java'
+      with:
+        path: |
+          ~/.m2/repository/.cache/tycho
+          ~/.m2/repository/.meta/p2-artifacts.properties
+          ~/.m2/repository/p2
+        key: ${{ runner.os }}-${{ runner.arch }}-repo-tycho-${{ hashFiles('target-platforms/target-platform-latest/target-platform-latest.target') }}
+
+
     # https://docs.github.com/en/code-security/code-scanning
     - name: Initialize CodeQL
       uses: github/codeql-action/init@v4  # https://github.com/github/codeql-action
@@ -99,7 +139,29 @@ jobs:
         # https://github.com/github/codeql-action#build-modes
         build-mode: ${{ matrix.build-mode }}
         # https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#using-queries-in-ql-packs
-        queries: +security-and-quality
+        config-file: ./.github/codeql/codeql-config.yml
+
+
+    - name: "Build with Maven 🔨"
+      if: matrix.language == 'java'
+      run: |
+        set -euo pipefail
+
+        MAVEN_OPTS="${MAVEN_OPTS:-}"
+        MAVEN_OPTS+=" -Djava.security.egd=file:/dev/./urandom" # https://stackoverflow.com/questions/58991966/what-java-security-egd-option-is-for/59097932#59097932
+        MAVEN_OPTS+=" -Dorg.slf4j.simpleLogger.showDateTime=true -Dorg.slf4j.simpleLogger.dateTimeFormat=HH:mm:ss,SSS" # https://stackoverflow.com/questions/5120470/how-to-time-the-different-stages-of-maven-execution/49494561#49494561
+        MAVEN_OPTS+=" -Xmx1024m -Djava.awt.headless=true -Djava.net.preferIPv4Stack=true -Dhttps.protocols=TLSv1.3,TLSv1.2"
+        export MAVEN_OPTS
+        echo "MAVEN_OPTS: $MAVEN_OPTS"
+ 
+        ./mvnw \
+          --errors \
+          --no-transfer-progress \
+          --batch-mode \
+          --show-version \
+          -Declipse.p2.mirrors=false \
+          -Dmaven.test.skip=true \
+          clean verify
 
 
     - name: Perform CodeQL Analysis
