GHA: drop codeql

We started using codeql for static code analysis in 7183f5acc3, June 2020. Since then, not a single commit has been merged into the source code repository citing codeql as source or reason. Yet, it keeps getting updated and we get constant reminders to upgrade the pinning it to the latest hash. During 4.5 years with intense development and significant code churn. While Coverity, scan-build and CodeSonar have belped us point out many mistakes, codeql has remained silent (or had false positives). For this little gain, I think we spend a disproportionate amount of work on codeql maintanance. We can try again in a future if we think it improves. Assisted-by: Viktor Szakats Closes #15798
2025-09-10 22:22:43 +03:00 · 2024-12-21 14:58:24 +01:00 · 2024-12-21 14:58:24 +01:00 · 173805b2e7
commit 173805b2e7
parent 5bdcaa76d1
3 changed files with 0 additions and 91 deletions
--- a/.github/scripts/spellcheck.words
+++ b/.github/scripts/spellcheck.words
@ -121,8 +121,6 @@ CMakeLists
 CNA
 CNAME
 CNAMEs
-CodeQL
-codeql
 CODESET
 codeset
 Comcast
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@ -1,85 +0,0 @@
-# Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
-#
-# SPDX-License-Identifier: curl
-
-name: CodeQL
-
-'on':
-  push:
-    branches:
-      - master
-      - '*/ci'
-    paths-ignore:
-      - '**/*.md'
-      - '.circleci/**'
-      - 'appveyor.*'
-      - 'docs/**'
-      - 'packages/**'
-      - 'plan9/**'
-      - 'projects/**'
-      - 'tests/data/**'
-      - 'winbuild/**'
-  pull_request:
-    branches:
-      - master
-    paths-ignore:
-      - '**/*.md'
-      - '.circleci/**'
-      - 'appveyor.*'
-      - 'docs/**'
-      - 'packages/**'
-      - 'plan9/**'
-      - 'projects/**'
-      - 'tests/data/**'
-      - 'winbuild/**'
-  schedule:
-    - cron: '0 0 * * 4'
-
-concurrency:
-  group: ${{ github.workflow }}
-
-permissions: {}
-
-jobs:
-  codeql:
-    runs-on: ubuntu-latest
-    permissions:
-      security-events: write
-    steps:
-      - name: 'install prereqs'
-        run: |
-          sudo rm -f /etc/apt/sources.list.d/microsoft-prod.list
-          sudo apt-get update -y
-          sudo apt-get install -y --no-install-suggests --no-install-recommends \
-            libpsl-dev
-
-      - name: Checkout repository
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
-        with:
-          persist-credentials: false
-
-      # Initializes the CodeQL tools for scanning.
-      - name: Initialize CodeQL
-        uses: github/codeql-action/init@aa578102511db1f4524ed59b8cc2bae4f6e88195 # v3
-        with:
-          languages: cpp
-          queries: security-extended
-
-      # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
-      # If this step fails, then you should remove it and run the build manually (see below)
-      - name: Autobuild
-        uses: github/codeql-action/autobuild@aa578102511db1f4524ed59b8cc2bae4f6e88195 # v3
-
-      # ℹ️ Command-line programs to run using the OS shell.
-      # 📚 https://git.io/JvXDl
-
-      # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
-      #    and modify them (or add more) to build your code if your project
-      #    uses a compiled language
-
-      # - run: |
-      #    make bootstrap
-      #    make release
-
-      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@aa578102511db1f4524ed59b8cc2bae4f6e88195 # v3
--- a/tests/CI.md
+++ b/tests/CI.md
@ -31,10 +31,8 @@ Consider the following table while looking at pull request failures:

 | CI platform as shown in PR          | State  | What to look at next       |
 | ----------------------------------- | ------ | -------------------------- |
- | CI / codeql                         | stable | quality check results      |
 | CI / fuzzing                        | stable | fuzzing results            |
 | CI / macos ...                      | stable | all errors and failures    |
- | Code scanning results / CodeQL      | stable | quality check results      |
 | FreeBSD FreeBSD: ...                | stable | all errors and failures    |
 | LGTM analysis: Python               | stable | new findings               |
 | LGTM analysis:  C/C++               | stable | new findings               |
@ -42,7 +40,6 @@ Consider the following table while looking at pull request failures:
 | AppVeyor                            | flaky  | all errors and failures    |
 | curl.curl (linux ...)               | stable | all errors and failures    |
 | curl.curl (windows ...)             | flaky  | repetitive errors/failures |
- | CodeQL                              | stable | new findings               |

 Sometimes the tests fail due to a dependency service temporarily being offline
 or otherwise unavailable, for example package downloads. In this case you can
@ -62,7 +59,6 @@ GitHub Actions runs the following tests:
 - Fuzz tests ([see the curl-fuzzer repo for more
  info](https://github.com/curl/curl-fuzzer)).
 - Curl compiled using the Rust TLS backend with Hyper
- CodeQL static analysis

 These are each configured in different files in `.github/workflows`.