From 177fbb79591fcafd032fccee15383236b4578feb Mon Sep 17 00:00:00 2001
From: Martin Belanger <martin.belanger@dell.com>
Date: Mon, 6 Apr 2026 13:46:09 -0400
Subject: [PATCH] code quality: add CodeQL static analysis

Add a CodeQL workflow to perform static security analysis on the Python
codebase. The workflow runs on push/PR to main and weekly on Tuesdays.

The Meson build runs before analysis so that all template-configured
files are resolved in .build/ prior to scanning. A CodeQL config file
constrains analysis to .build/ (excluding .build/subprojects/, which
is nvme-cli/libnvme code) and sets PYTHONPATH so that libnvme imports
are resolved for accurate taint tracking.

Signed-off-by: Martin Belanger <martin.belanger@dell.com>
---
 .github/codeql/codeql-config.yml |  7 ++++
 .github/workflows/codeql.yml     | 64 ++++++++++++++++++++++++++++++++
 2 files changed, 71 insertions(+)
 create mode 100644 .github/codeql/codeql-config.yml
 create mode 100644 .github/workflows/codeql.yml

diff --git a/.github/codeql/codeql-config.yml b/.github/codeql/codeql-config.yml
new file mode 100644
index 0000000..58c93d6
--- /dev/null
+++ b/.github/codeql/codeql-config.yml
@@ -0,0 +1,7 @@
+# Analyze only the Meson build output (.build/), which contains fully
+# configured files (Meson template substitutions resolved). Exclude
+# subprojects/ — that is nvme-cli/libnvme code, not nvme-stas.
+paths:
+  - .build
+paths-ignore:
+  - .build/subprojects
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
new file mode 100644
index 0000000..198cc42
--- /dev/null
+++ b/.github/workflows/codeql.yml
@@ -0,0 +1,64 @@
+name: CodeQL
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
+  schedule:
+    - cron: '15 3 * * 2'  # Tuesdays at 3:15 AM UTC
+
+  workflow_dispatch:
+
+jobs:
+  analyze:
+    name: Analyze (python)
+    runs-on: ubuntu-24.04
+    timeout-minutes: 60
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    steps:
+      - name: "CHECKOUT: nvme-stas"
+        uses: actions/checkout@v6
+
+      - name: "INSTALL: build packages"
+        run: |
+          sudo apt-get update
+          sudo apt-get install --yes --quiet meson ninja-build cmake
+
+      - name: "INSTALL: python packages"
+        run: |
+          sudo apt-get install --yes --quiet python3-systemd python3-pyudev python3-dasbus python3-gi python3-lxml python3-tomli
+
+      - name: "INSTALL: remaining debian packages"
+        run: |
+          sudo apt-get install --yes --quiet libgirepository1.0-dev libsystemd-dev
+
+      - name: "INSTALL: libnvme packages (needed to build libnvme)"
+        run: |
+          sudo apt-get install --yes --quiet swig libjson-c-dev
+
+      - name: "INIT: CodeQL"
+        uses: github/codeql-action/init@v3
+        with:
+          languages: python
+          config-file: ./.github/codeql/codeql-config.yml
+
+      - name: "BUILD: [libnvme, nvme-stas] (generates configured files in .build/)"
+        uses: BSFishy/meson-build@v1.0.3
+        with:
+          action: build
+          directory: .build
+          setup-options: --buildtype=release --sysconfdir=/etc --prefix=/usr -Dnvme-cli:buildtype=release -Dnvme-cli:sysconfdir=/etc -Dnvme-cli:prefix=/usr -Dnvme-cli:python=enabled -Dnvme-cli:libdbus=disabled -Dnvme-cli:openssl=disabled -Dnvme-cli:json-c=disabled -Dnvme-cli:keyutils=disabled
+
+      - name: "CONFIG: PYTHONPATH"
+        run: |
+          echo "PYTHONPATH=.build:.build/subprojects/nvme-cli/libnvme:/usr/lib/python3/dist-packages/" >> $GITHUB_ENV
+
+      - name: "ANALYZE: CodeQL"
+        uses: github/codeql-action/analyze@v3
+        with:
+          category: "/language:python"