CI: Add CodeQL (#2088)

2 files changed, 76 insertions, 30 deletions

diff --git a/.github/workflows/flawfinder.yml b/.github/workflows/flawfinder.yml
deleted file mode 100644
index e1df95dc..00000000
--- a/.github/workflows/flawfinder.yml
+++ /dev/null
@@ -1,30 +0,0 @@
-name: Flawfinder
-
-on:
-  push:
-    branches: [ main ]
-  pull_request:
-    branches: [ main ]
-
-jobs:
-  flawfinder:
-    name: Flawfinder Checks
-    runs-on: ubuntu-latest
-    permissions:
-      actions: read
-      contents: read
-      security-events: write
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v3
-
-      - name: Scan with Flawfinder
-        uses: david-a-wheeler/flawfinder@8e4a779ad59dbfaee5da586aa9210853b701959c
-        with:
-          arguments: '--sarif ./'
-          output: 'flawfinder_results.sarif'
-
-      - name: Upload analysis results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v2
-        with:
-          sarif_file: ${{github.workspace}}/flawfinder_results.sarif
diff --git a/.github/workflows/security-checks.yml b/.github/workflows/security-checks.yml
new file mode 100644
index 00000000..6b7d71e5
--- /dev/null
+++ b/.github/workflows/security-checks.yml
@@ -0,0 +1,76 @@
+name: Security Checks
+
+on: [push, pull_request]
+
+jobs:
+  flawfinder:
+    name: Flawfinder Checks
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Scan with Flawfinder
+        uses: david-a-wheeler/flawfinder@8e4a779ad59dbfaee5da586aa9210853b701959c
+        with:
+          arguments: '--sarif ./'
+          output: 'flawfinder_results.sarif'
+
+      - name: Upload analysis results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: ${{github.workspace}}/flawfinder_results.sarif
+  
+  codeql:
+    name: CodeQL
+    runs-on: ubuntu-latest
+    container:
+      image: archlinux
+    
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'cpp' ]
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v3
+
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v2
+      with:
+        languages: ${{ matrix.language }}
+
+    - name: Init Hyprland build
+      run: |
+        sed -i 's/SigLevel    = Required DatabaseOptional/SigLevel    = Optional TrustAll/' /etc/pacman.conf
+        pacman --noconfirm --noprogressbar -Syyu
+        pacman --noconfirm --noprogressbar -Sy glslang libepoxy libfontenc libxcvt libxfont2 libxkbfile vulkan-headers vulkan-validation-layers xcb-util-errors xcb-util-renderutil xcb-util-wm xorg-fonts-encodings xorg-server-common xorg-setxkbmap xorg-xkbcomp xorg-xwayland git cmake go clang lld libc++ pkgconf meson ninja wayland wayland-protocols libinput libxkbcommon pixman glm libdrm libglvnd cairo pango systemd scdoc base-devel seatd python libliftoff
+        useradd -m githubuser
+        echo -e "root ALL=(ALL:ALL) ALL\ngithubuser ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers
+        su githubuser -c "cd ~ && git clone https://aur.archlinux.org/libdisplay-info.git && cd ./libdisplay-info && makepkg -si --skippgpcheck --noconfirm --noprogressbar"
+        git config --global --add safe.directory /__w/Hyprland/Hyprland
+    
+    - name: Checkout Hyprland
+      uses: actions/checkout@v3
+      with:
+        submodules: recursive
+
+    - name: Build Hyprland
+      run: |
+        git submodule sync --recursive && git submodule update --init --force --recursive
+        make all
+    
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v2
+      with:
+        category: "/language:${{matrix.language}}"