Add CodeQL workflow for GitHub code scanning

.github/codeql.yml

@@ -0,0 +1,29 @@
+# Suppress some CodeQL warnings.
+query-filters:
+
+  # A few occurrences of try/except clauses without naming a specific exception type.
+  # TODO: May be improved.
+  # https://codeql.github.com/codeql-query-help/python/py-empty-except/
+  - exclude:
+      id: py/empty-except
+
+  # A module is imported with the "import" and "import from" statements.
+  # CodeQL says "Importing a module twice using the import xxx and from xxx import yyy is confusing.".
+  # While it has a point, it is still more than acceptable.
+  # https://codeql.github.com/codeql-query-help/python/py-import-and-import-from/
+  - exclude:
+      id: py/import-and-import-from
+
+  # Quite a few functions don't explicitly return values, but
+  # instead implicitly return `None`, when falling through.
+  # TODO: May be improved.
+  # https://codeql.github.com/codeql-query-help/python/py-mixed-returns/
+  - exclude:
+      id: py/mixed-returns
+
+  # The parameter naming in `CrateCompiler._get_crud_params` is so that it triggers this admonition.
+  # However, by using an alternative name for the first parameter of an instance method, it would
+  # make the code harder to read.
+  # https://codeql.github.com/codeql-query-help/python/py-not-named-self/
+  - exclude:
+      id: py/not-named-self

.github/workflows/codeql.yml

@@ -0,0 +1,54 @@
+name: "CodeQL"
+
+on:
+  push:
+    branches: [ "master" ]
+  pull_request:
+    branches: [ "master" ]
+  schedule:
+    - cron: "46 2 * * 5"
+
+  # Allow job to be triggered manually.
+  workflow_dispatch:
+
+# Cancel in-progress jobs when pushing to the same branch.
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ python ]
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v2
+        with:
+          languages: ${{ matrix.language }}
+          config-file: ./.github/codeql.yml
+          queries: +security-and-quality
+
+      #- name: Autobuild
+      #  uses: github/codeql-action/autobuild@v2
+
+      - name: Install project
+        run: |
+          pip install --editable=.[sqlalchemy,test,doc]
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v2
+        with:
+          category: "/language:${{ matrix.language }}"

bin/test

@@ -11,6 +11,6 @@ base = os.path.dirname(base)
 sys.argv[0] = os.path.abspath(sys.argv[0])
 
 if __name__ == '__main__':
-    sys.exit(zope.testrunner.run((['--auto-color', '--verbose']) + [
+    zope.testrunner.run((['--auto-color', '--verbose']) + [
         '--test-path', join(base, 'src'),
-        ]))
+        ])

src/crate/client/sqlalchemy/compiler.py

@@ -22,9 +22,9 @@
 import string
 from collections import defaultdict
 
-import sqlalchemy as sa  # lgtm[py/import-and-import-from]
+import sqlalchemy as sa
 from sqlalchemy.dialects.postgresql.base import PGCompiler
-from sqlalchemy.sql import compiler, crud, selectable  # lgtm[py/import-and-import-from]
+from sqlalchemy.sql import compiler, crud, selectable
 from .types import MutableDict
 from .sa_version import SA_VERSION, SA_1_4
 

src/crate/testing/layer.py

@@ -358,7 +358,6 @@ def _wait_for(self, validator):
                 time.sleep(self.wait_interval)
 
         self.monitor.consumers.remove(line_buf)
-        line_buf = None
 
     def _wait_for_start(self):
         """Wait for instance to be started"""