ci: use CodeQL instead of LGTM

[mrc0mmand]

As LGTM is going to be shut down by EOY[0], let's move the code scanning to CodeQL as recommended. Thanks to GH integration the results from such scans will be shown both in the respective PR and in the Security -> Code Scanning tab[1].

[0] https://github.blog/2022-08-15-the-next-step-for-lgtm-com-github-code-scanning/
[1] https://github.com/systemd/mkosi/security/code-scanning

---

Once this is merged I'll go ahead and disable the LGTM integration completely.

Note: I had to create this branch directly in the upstream repo, otherwise GH wouldn't pick up the new action until it's merged.

[mrc0mmand]

Also a note: the current CodeQL fail is expected, since it's a first scan that found all the possible issues in the code base, which are already reported by LGTM. Also, it's missing the base branch results, which will get resolved once this is merged.

[mrc0mmand]

I enabled the extend query suites, so now it reports quite a number of potential issues, see https://github.com/systemd/mkosi/security/code-scanning?query=pr%3A1186+tool%3ACodeQL+is%3Aopen

If you don't find the extended checks useful, please let me know and I'll disable them again.

[behrmann]

Also a note: the current CodeQL fail is expected, since it's a first scan that found all the possible issues in the code base, which are already reported by LGTM. Also, it's missing the base branch results, which will get resolved once this is merged.

So on the next PR the test will succeed if no new problems are added? Is there a way to see the baseline results afterwards?

[mrc0mmand]

Also a note: the current CodeQL fail is expected, since it's a first scan that found all the possible issues in the code base, which are already reported by LGTM. Also, it's missing the base branch results, which will get resolved once this is merged.

So on the next PR the test will succeed if no new problems are added?

Exactly.

Is there a way to see the baseline results afterwards?

They'll appear in the Security tab under Code Scanning - https://github.com/systemd/mkosi/security/code-scanning

[behrmann]

LGTM. I've scrolled through the warnings and some things are noise, but some do warrant looking into. Since this will stay available I see no reason to not merge this, since it's definitely a leg up from lgtm.com.

One last question though: Does this have a know for which Python version to target or can it read that from e.g. pyproject.toml?

[mrc0mmand]

LGTM. I've scrolled through the warnings and some things are noise, but some do warrant looking into. Since this will stay available I see no reason to not merge this, since it's definitely a leg up from lgtm.com.

One last question though: Does this have a know for which Python version to target or can it read that from e.g. pyproject.toml?

It tries to sort of autodetect stuff from the files lying around:

  Will try to guess Python version, as it was not specified in `lgtm.yml`
  Trying to guess Python version based on Trove classifiers in setup.py
  Found no Trove classifiers for Python in setup.py
  Trying to guess Python version based on travis file
  Did not find any travis files (expected them at either ['/home/runner/work/mkosi/mkosi/.travis.yml', '/home/runner/work/mkosi/mkosi/travis.yml'])
  Trying to guess Python version based on installed versions
  Only Python 3 installed -- will use that version
  Found setup.py, will install package with pip in editable mode

but currently it falls back to the installed python 3.10. However, if the need arises, you can configure the environment as needed before calling the CodeQL analysis.

[mrc0mmand]

Also, to add to this, CodeQL does pip install -e . which should respect the pyproject.toml and other such files (though there's currently a bug in the logic there - github/codeql-action#1249).

[DaanDeMeyer]

I guess we'll need to go over and try to fix the reported warnings before merging this

[mrc0mmand]

I guess we'll need to go over and try to fix the reported warnings before merging this

Well, the warnings won't get reported again (i.e. no noise in other PRs), but stay visible in the Security tab, so they can be fixed later without the need of blocking this (so CodeQL could possibly analyze other PRs).

[poettering]

So I guess #1120 can be closed now?