Create codeQLworkflow.yml

[jukzi]

eclipse-platform/.github#141

[HannesWell]

If the codeQL workflow would be added to the existing mavenBuild workflow (maybe with an option to disable/enable it), we would probably save a lot of duplication?

[jukzi]

mavenBuild is a matrix of JVM versions, while codeQL is a matrix of programming languages.
mavenBuild is normally scheduled for each PR, codeQL is normally scheduled once a week or commit on master - the results are not shown on the PR but in the security tab.

[laeubi]

I have ssen CodeQL runs also on PR verification, nerveless it could be an independent workflow that could then be added to the projets CI workflow like the license check. What I'm wondering, why does it need a maven build at all?

[jukzi]

by default it uses autobuild, which does not work for our repos. It needs to be build somehow. I guess it analyses the .class files. It worked with maven. If you have another working solution please do.

[jukzi]

https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-the-codeql-workflow-for-compiled-languages#autobuild-for-java--and-kotlin

[laeubi]

Your inital description contains:

CodeQL https://codeql.github.com/ can hint to problems in sourcecode

So I somehow assumed it analyzes the source... but if it requires a mavenbuild, maybe one can reuse the results of the regular maven build like it is done with the Junit results?