From 2bae8fec6ad3d2120a1163b1547b1864f4cb4522 Mon Sep 17 00:00:00 2001
From: Wenju He <wenju.he@intel.com>
Date: Tue, 4 Jun 2024 08:09:13 +0800
Subject: [PATCH 1/5] Add SAST tool CodeQL scan

Address OpenSSF "SAST" in #516
---
 .github/workflows/codeql.yml | 52 ++++++++++++++++++++++++++++++++++++
 1 file changed, 52 insertions(+)
 create mode 100644 .github/workflows/codeql.yml

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
new file mode 100644
index 0000000..9183ccf
--- /dev/null
+++ b/.github/workflows/codeql.yml
@@ -0,0 +1,52 @@
+name: "CodeQL"
+
+on:
+  push:
+    branches: [ "main" ]
+  pull_request:
+    branches: [ "main" ]
+
+permissions:
+  contents: read
+
+jobs:
+  analyze:
+    name: Analyze
+
+    runs-on: ubuntu-latest
+
+    permissions:
+      # required for all workflows
+      security-events: write
+
+      # required to fetch internal or private CodeQL packs
+      packages: read
+
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+        - language: c-cpp
+          build-mode: manual
+
+    steps:
+    - name: Checkout opencl-clang sources for action files
+      uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+
+    - name: Run build-opencl-clang action
+      uses: ./.github/actions/build-opencl-clang
+      with:
+        ref_llvm: main
+        ref_translator: main
+        ref_opencl-clang: main
+
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@f079b8493333aace61c81488f8bd40919487bd9f # v3.25.7
+      with:
+        languages: ${{ matrix.language }}
+        build-mode: ${{ matrix.build-mode }}
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@f079b8493333aace61c81488f8bd40919487bd9f # v3.25.7
+      with:
+        category: "/language:${{matrix.language}}"

From d0842a2e107acd3df8649d1a62a12aee0ccefe0d Mon Sep 17 00:00:00 2001
From: Wenju He <wenju.he@intel.com>
Date: Tue, 4 Jun 2024 09:59:14 +0800
Subject: [PATCH 2/5] move build to between CodeQL init and analyze

---
 .github/workflows/codeql.yml | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 9183ccf..fa9dd94 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -33,6 +33,12 @@ jobs:
     - name: Checkout opencl-clang sources for action files
       uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
 
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@f079b8493333aace61c81488f8bd40919487bd9f # v3.25.7
+      with:
+        languages: ${{ matrix.language }}
+        build-mode: ${{ matrix.build-mode }}
+
     - name: Run build-opencl-clang action
       uses: ./.github/actions/build-opencl-clang
       with:
@@ -40,12 +46,6 @@ jobs:
         ref_translator: main
         ref_opencl-clang: main
 
-    - name: Initialize CodeQL
-      uses: github/codeql-action/init@f079b8493333aace61c81488f8bd40919487bd9f # v3.25.7
-      with:
-        languages: ${{ matrix.language }}
-        build-mode: ${{ matrix.build-mode }}
-
     - name: Perform CodeQL Analysis
       uses: github/codeql-action/analyze@f079b8493333aace61c81488f8bd40919487bd9f # v3.25.7
       with:

From e5a1e454b63d04b51a134c5bdec515df073981c4 Mon Sep 17 00:00:00 2001
From: Wenju He <wenju.he@intel.com>
Date: Wed, 5 Jun 2024 10:22:38 +0800
Subject: [PATCH 3/5] use out-of-tree build

---
 .github/workflows/codeql.yml                  | 86 ++++++++++++++-----
 .../on-push-verification-out-of-tree.yml      |  2 -
 2 files changed, 66 insertions(+), 22 deletions(-)

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index fa9dd94..9035d24 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -9,6 +9,10 @@ on:
 permissions:
   contents: read
 
+env:
+  LLVM_VERSION: 19
+  LLVM_VERSION_MINOR: 0
+
 jobs:
   analyze:
     name: Analyze
@@ -30,23 +34,65 @@ jobs:
           build-mode: manual
 
     steps:
-    - name: Checkout opencl-clang sources for action files
-      uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
-
-    - name: Initialize CodeQL
-      uses: github/codeql-action/init@f079b8493333aace61c81488f8bd40919487bd9f # v3.25.7
-      with:
-        languages: ${{ matrix.language }}
-        build-mode: ${{ matrix.build-mode }}
-
-    - name: Run build-opencl-clang action
-      uses: ./.github/actions/build-opencl-clang
-      with:
-        ref_llvm: main
-        ref_translator: main
-        ref_opencl-clang: main
-
-    - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@f079b8493333aace61c81488f8bd40919487bd9f # v3.25.7
-      with:
-        category: "/language:${{matrix.language}}"
+
+      - name: Install llvm and its dependencies
+        run: |
+          curl -L "https://apt.llvm.org/llvm-snapshot.gpg.key" | sudo apt-key add -
+          curl -L "https://packages.lunarg.com/lunarg-signing-key-pub.asc" | sudo apt-key add -
+          echo "deb https://apt.llvm.org/jammy/ llvm-toolchain-jammy main" | sudo tee -a /etc/apt/sources.list
+          echo "deb https://packages.lunarg.com/vulkan jammy main" | sudo tee -a /etc/apt/sources.list
+          sudo apt-get update
+          sudo apt-get -yq --no-install-suggests --no-install-recommends install \
+            clang-${{ env.LLVM_VERSION }} \
+            llvm-${{ env.LLVM_VERSION }}-dev \
+            libclang-${{ env.LLVM_VERSION }}-dev \
+            libclang-cpp${{ env.LLVM_VERSION }}-dev \
+            libpolly-${{ env.LLVM_VERSION }}-dev \
+            libzstd-dev \
+            libedit-dev
+
+      - name: Checkout SPIRV-LLVM-Translator sources
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+        with:
+          repository: KhronosGroup/SPIRV-LLVM-Translator
+          path: SPIRV-LLVM-Translator
+          ref: main
+
+      - name: Build SPIRV-LLVM-Translator
+        run: |
+          builddir=${{ github.workspace }}/SPIRV-LLVM-Translator/build
+          cmake -B "$builddir" \
+            ${{ github.workspace }}/SPIRV-LLVM-Translator \
+            -DLLVM_INCLUDE_TESTS=OFF \
+            -DCMAKE_INSTALL_PREFIX="$builddir"/install \
+            -DCMAKE_BUILD_TYPE=Release
+          cmake --build "$builddir" -j $(nproc)
+          cmake --install "$builddir"
+          echo "spirv-translator-dir=${builddir}/install" >> $GITHUB_ENV
+
+      - name: Checkout opencl-clang sources for action files
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+        with:
+          path: opencl-clang
+          ref: ${{ github.ref }}
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@f079b8493333aace61c81488f8bd40919487bd9f # v3.25.7
+        with:
+          languages: ${{ matrix.language }}
+          build-mode: ${{ matrix.build-mode }}
+
+      - name: Run build-opencl-clang action
+        run: |
+          mkdir build && cd build
+          cmake ${{ github.workspace }}/opencl-clang \
+            -DPREFERRED_LLVM_VERSION="${{ env.LLVM_VERSION }}.${{ env.LLVM_VERSION_MINOR }}" \
+            -DLLVMSPIRV_INCLUDED_IN_LLVM=OFF \
+            -DSPIRV_TRANSLATOR_DIR=${{ env.spirv-translator-dir }} \
+            -DCMAKE_BUILD_TYPE=Release
+          cmake --build . -j $(nproc)
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@f079b8493333aace61c81488f8bd40919487bd9f # v3.25.7
+        with:
+          category: "/language:${{matrix.language}}"
diff --git a/.github/workflows/on-push-verification-out-of-tree.yml b/.github/workflows/on-push-verification-out-of-tree.yml
index 17769b1..e5ec3a4 100644
--- a/.github/workflows/on-push-verification-out-of-tree.yml
+++ b/.github/workflows/on-push-verification-out-of-tree.yml
@@ -1,7 +1,5 @@
 # ===---
 # Running on push & pull_request.
-#   This workflow parses the destination branch
-#   to choose correct dependencies revisions
 # ===---
 
 name: Out-of-tree build

From dca4ffd59eebc65ba875481432ba5d5be602fb2a Mon Sep 17 00:00:00 2001
From: Wenju He <wenju.he@intel.com>
Date: Wed, 5 Jun 2024 12:07:11 +0800
Subject: [PATCH 4/5] remove opencl-clang path

---
 .github/workflows/codeql.yml | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 9035d24..cb943e0 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -73,7 +73,6 @@ jobs:
       - name: Checkout opencl-clang sources for action files
         uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
         with:
-          path: opencl-clang
           ref: ${{ github.ref }}
 
       - name: Initialize CodeQL
@@ -82,10 +81,10 @@ jobs:
           languages: ${{ matrix.language }}
           build-mode: ${{ matrix.build-mode }}
 
-      - name: Run build-opencl-clang action
+      - name: Build opencl-clang
         run: |
           mkdir build && cd build
-          cmake ${{ github.workspace }}/opencl-clang \
+          cmake ${{ github.workspace }} \
             -DPREFERRED_LLVM_VERSION="${{ env.LLVM_VERSION }}.${{ env.LLVM_VERSION_MINOR }}" \
             -DLLVMSPIRV_INCLUDED_IN_LLVM=OFF \
             -DSPIRV_TRANSLATOR_DIR=${{ env.spirv-translator-dir }} \

From 87b44ca6d96ef8d6fee1710b2eb4e81e2a30eace Mon Sep 17 00:00:00 2001
From: Wenju He <wenju.he@intel.com>
Date: Wed, 5 Jun 2024 14:06:53 +0800
Subject: [PATCH 5/5] checkout SPIRV-LLVM-Translator after checking out
 opencl-clang

---
 .github/workflows/codeql.yml | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index cb943e0..c2b92d4 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -51,6 +51,11 @@ jobs:
             libzstd-dev \
             libedit-dev
 
+      - name: Checkout opencl-clang sources for action files
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+        with:
+          ref: ${{ github.ref }}
+
       - name: Checkout SPIRV-LLVM-Translator sources
         uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
         with:
@@ -70,11 +75,6 @@ jobs:
           cmake --install "$builddir"
           echo "spirv-translator-dir=${builddir}/install" >> $GITHUB_ENV
 
-      - name: Checkout opencl-clang sources for action files
-        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
-        with:
-          ref: ${{ github.ref }}
-
       - name: Initialize CodeQL
         uses: github/codeql-action/init@f079b8493333aace61c81488f8bd40919487bd9f # v3.25.7
         with: