From 7cf9a6ffd4ac4642fc4648af10250ffc17de7f82 Mon Sep 17 00:00:00 2001
From: Andrew Brown <andrew.brown@intel.com>
Date: Thu, 26 Sep 2024 15:30:06 -0700
Subject: [PATCH] ci: add `clippy` results to GitHub code scans

In the past, we've overlooked clippy warnings that get lost in the CI
build logs. This change would collect all of those warnings, put them in
[SARIF] form, and list them in GitHub's code scanning view. I recently
added this to `ittapi` and it looks like this: [Code Scanning]. This
means warnings and errors will show up on the security tab as a
notification; the UI allows one to dismiss the warnings. There might be
some integration with PRs but I haven't experimented with that.

I configured this to also run periodically (every Tuesday night); we can
remove that if we only want commits to `main`, e.g. If we do adopt this,
we should think about what to do with the `clippy` job in
`main.yml`--does it stay or go?

[SARIF]: https://sarifweb.azurewebsites.net
[Code Scanning]: https://github.com/intel/ittapi/security/code-scanning?query=branch%3Amaster+
---
 .github/workflows/scan.yml | 51 ++++++++++++++++++++++++++++++++++++++
 1 file changed, 51 insertions(+)
 create mode 100644 .github/workflows/scan.yml

diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
new file mode 100644
index 000000000000..bfeeafb580f4
--- /dev/null
+++ b/.github/workflows/scan.yml
@@ -0,0 +1,51 @@
+# Scan the code in this repository; publish results to
+# https://github.com/bytecodealliance/wasmtime/security/code-scanning.
+
+name: Code Scan
+
+on:
+  push:
+    branches: ["main"]
+  pull_request:
+    branches: ["main"]
+  schedule:
+    - cron: "4 3 * * 2"
+
+permissions:
+  contents: read
+
+jobs:
+  analyze:
+    name: Analyze (Rust)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
+    env:
+        CARGO_NDK_VERSION: 2.12.2
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+            submodules: true
+
+      - uses: ./.github/actions/install-rust
+
+      - name: Install cargo-binstall
+        uses: cargo-bins/cargo-binstall@3a99ae3c155195e5518c9ff954bee1b90f98b82c # v1.10.6
+
+      - name: Install dependencies
+        run: cargo binstall --no-confirm clippy-sarif sarif-fmt
+
+      - name: Run clippy
+        run: |
+          cargo clippy --workspace --all-targets --message-format=json > clippy.json
+          clippy-sarif --input clippy.json --output clippy.sarif
+          sarif-fmt --input clippy.sarif
+        continue-on-error: true
+
+      - name: Upload analysis
+        uses: github/codeql-action/upload-sarif@5618c9fc1e675841ca52c1c6b1304f5255a905a0 # v2.19.0
+        with:
+          sarif_file: clippy.sarif
+          wait-for-processing: true