Create codeql.yml

[alan-forbes-cp]

Initial Github codeql.yml file.
Notes:

• Commit 1 is the standard Github version of the file, added for reference.
• By default CodeQL's autobuild feature fails for this repo so a 'manual' build (codeql.yml file plus container) is required.
• At time of writing, the CI workflow has >1 build flavours. The chosen flavour represents simplest build showing complete 'manual' CodeQL plumbing.

[github-advanced-security]

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

[scottstraughan]

Looks good to me.

[carlewis]

Maybe it would make sense to update the Template-Repo with a harder to scan sample, having this codeql.yml file there too. I think here we can remove the comments refering other languages (javascript, java-kotlin, etc) as they are not used. Other than that LGTM.

[DuncanMcBain]

Hi,
I'm sorry we didn't manage to finish a review on this before your merge, I was imagining we might customise the file to better match this repository rather than sticking with exactly the template. That said I am not familiar with the CodeQL stuff at all so I had been reading the GitHub documentation to try to understand the file contents before leaving a review. Would we be open to further changes to this file down the line? I'd especially be interesting in removing things that are not relevant to this project to keep its footprint as small as possible and to keep it understandable.

[alan-forbes-cp]

Hi @DuncanMcBain
Sorry - didn't realise you were mid-review - my mistake.
The CodeQL file is already customised to the repo. There is a CodeQL autobuild function which attempts to build "out-the-box" but it failed in this case (due largely to the use of containers) so currently its using a minimal build from your corresponding CI workflow file. Further changes are absolutely fine. In particular, where there are several valid build flavours, any of which may be subject to change, this may need more tailoring. Also in this case there is duplicate code between CI and CodeQL workflows which is not great. That said, the current implementation should be fine for v1.0. Let me know if you have any issues.
Cheers.

[DuncanMcBain]

What I should have done is assign myself the review task, but I didn't, it was my mistake. I'll still go over this to try to understand it, since I think that would be helpful either way, and then maybe if I think there's some bits we can cut down on (e.g. I'm planning to remove every mention of "swift" I can see 😆 ) then I'll maybe make a PR for that. Cheers!