[ISSUE #4737] Separate codeql workflow

[clayburn]

Fixes #4737.

Motivation

The motivation for this PR is to fix an issue where CodeQL is not able to analyze a PR when the Gradle build cache prevents all Java compilation. CodeQL requires the compiler to execute during the workflow in order to perform its analysis, as documented here.

Modifications

This pull request moves the CodeQL verification to its own workflow, independent of the "Continuous Integration" workflow, where Gradle build caching is disabled. This not only addresses the issue, but should also have some improvements to the workflows:

• By moving CodeQL to its own workflow, it can execute in parallel. This removes CodeQL analysis from the critical path of a full build and lets the continuous integration workflow finish more quickly by leveraging build cache and skipping this analysis.
• By moving CodeQL to its own workflow, it is no longer necessary to run the "Continuous integration" workflow for both Java and Go, since the Go branch only seemed to run in order to get CodeQL results. This would eliminate four workflows per larger build. We can also skip the Gradle build on the Go CodeQL workflow.

Documentation

• Does this pull request introduce a new feature? (yes / no)
• If yes, how is the feature documented? (not applicable / docs / JavaDocs / not documented)
• If a feature is not applicable for documentation, explain why?
• If a feature is not documented yet in this PR, please create a followup issue for adding the documentation

[clayburn]

This step seemed like it would never execute, as neither of these languages was in the matrix, so I did not migrate it to the CodeQL workflow.

[Pil0tXia]

You mean L52~L57 task Build C or L50 languages: ${{ matrix.language }}?

[Pil0tXia]

Build C task was added in #4543. It seems intentional to skip the Build C task, and there is further room for optimization (such as submodules: true not added yet) in this area. We have Git submodules in our C SDK, and we want to test these C codes.

[clayburn]

You mean L52~L57 task

Yes, the conditional check for cpp/csharp

Build C task was added in #4543. It seems intentional to skip the Build C task, and there is further room for optimization (such as submodules: true not added yet) in this area. We have Git submodules in our C SDK, and we want to test these C codes.

I'm not quite sure what you mean here, since the way this is currently authored, matrix.language will never be either of these two options. So this is essentially a dead code path as it exists today. But I can add it back if it is an area of future change.

[Pil0tXia]

I have tried to run Build C with an additional submodule: true param and it encountered a compile error: https://github.com/Pil0tXia/eventmesh/actions/runs/7506142011/job/20436880958. Let's keep the original Build C task and I'll address it in #4742 and #4743.

[clayburn]

I am not familiar with your usage of CodeQL, so I made the assumption that you used it to scan test code as well. If you do not, the compileTestJava task can be removed here.

[Pil0tXia]

Based on our previous experience, we would like to execute the build task. The build task should already include the assemble and compileTestJava tasks. In your experience, do you think it's necessary to replace the build task with the assemble and compileTestJava tasks?

[clayburn]

build will run everything in the build, most notably the tests. The tests will be verified in the Continuous Integration workflow, so running them here would be redundant (unless I misunderstand and CodeQL needs to see them execute). Running assemble compileTestJava will just compile main and test source set that CodeQL cares about.

If you find it better, we could change this to something like build -x test for a similar result.

[Pil0tXia]

OK, let's keep assemble compileTestJava then. This way, only the source code will be compiled, but CodeQL doesn't need them to run.

[github-advanced-security]

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Comparison is base (aae0d54) 17.60% compared to head (fc4a7b8) 17.59%.

Additional details and impacted files

@@             Coverage Diff              @@
##             master    #4740      +/-   ##
============================================
- Coverage     17.60%   17.59%   -0.02%     
+ Complexity     1775     1774       -1     
============================================
  Files           797      797              
  Lines         29786    29786              
  Branches       2573     2573              
============================================
- Hits           5243     5240       -3     
- Misses        24063    24065       +2     
- Partials        480      481       +1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[Pil0tXia]

LGTM, Good job!