chore: Add GitHub CodeQL workflow and local Docker runner.

.github/workflows/codeql.yml

@@ -0,0 +1,57 @@
+name: "CodeQL"
+
+on:
+  push:
+    branches: [ "master" ]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [ "master" ]
+  schedule:
+    - cron: '39 10 * * 0'
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'cpp' ]
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+      with:
+        submodules: recursive
+
+    - name: Install dependencies
+      run: |
+        sudo apt-get update
+        sudo apt-get install -y --no-install-recommends \
+          libconfig-dev \
+          libopus-dev \
+          libsodium-dev \
+          libvpx-dev \
+          ninja-build \
+          pkg-config
+
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v3
+      with:
+        languages: ${{ matrix.language }}
+        queries: security-and-quality
+
+    - name: Build
+      run: |
+        cmake -GNinja -B _build -S .
+        cmake --build _build --parallel $(nproc)
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v3
+      with:
+        category: "/language:${{ matrix.language }}"

other/docker/codeql/build.sh

@@ -0,0 +1,4 @@
+#!/bin/bash
+set -e
+cmake -GNinja -B build -S .
+cmake --build build --parallel "$(nproc)"

other/docker/codeql/codeql.Dockerfile

@@ -0,0 +1,53 @@
+# other/docker/codeql/codeql.Dockerfile
+FROM toxchat/c-toxcore:sources AS sources
+FROM ubuntu:22.04
+
+RUN apt-get update && \
+    DEBIAN_FRONTEND="noninteractive" apt-get install -y --no-install-recommends \
+    build-essential \
+    ca-certificates \
+    cmake \
+    curl \
+    git \
+    libconfig-dev \
+    libopus-dev \
+    libsodium-dev \
+    libvpx-dev \
+    ninja-build \
+    pkg-config \
+    unzip \
+    wget \
+    && apt-get clean \
+    && rm -rf /var/lib/apt/lists/*
+
+# Install CodeQL
+ARG CODEQL_VERSION=v2.23.9
+RUN curl -L -o /tmp/codeql.zip https://github.com/github/codeql-cli-binaries/releases/download/${CODEQL_VERSION}/codeql-linux64.zip && \
+    unzip -q /tmp/codeql.zip -d /opt && \
+    rm /tmp/codeql.zip
+
+ENV PATH="/opt/codeql:$PATH"
+
+RUN groupadd -r -g 1000 builder \
+ && useradd -m --no-log-init -r -g builder -u 1000 builder
+
+WORKDIR /home/builder/c-toxcore
+
+# Copy sources
+COPY --chown=builder:builder --from=sources /src/ /home/builder/c-toxcore/
+
+# Pre-create build directory
+RUN mkdir -p build codeql-db && chown builder:builder codeql-db build
+
+# Copy scripts
+COPY --chown=builder:builder other/docker/codeql/build.sh .
+COPY --chown=builder:builder other/docker/codeql/run-analysis.sh .
+
+RUN chmod +x build.sh run-analysis.sh
+
+USER builder
+
+# Download standard queries as builder
+RUN codeql pack download codeql/cpp-queries
+
+CMD ["./run-analysis.sh"]

other/docker/codeql/run

@@ -0,0 +1,15 @@
+#!/usr/bin/env bash
+
+set -eux
+
+BUILD=codeql
+
+# Ensure the sources image is built
+other/docker/sources/build.sh
+
+# Build the codeql image
+docker build -t "toxchat/c-toxcore:$BUILD" -f "other/docker/$BUILD/$BUILD.Dockerfile" .
+
+# Run the container
+echo "Running CodeQL analysis..."
+docker run --rm "toxchat/c-toxcore:$BUILD"

other/docker/codeql/run-analysis.sh

@@ -0,0 +1,8 @@
+#!/bin/bash
+set -e
+echo "Creating CodeQL Database..."
+codeql database create codeql-db --language=cpp --overwrite --command="./build.sh"
+echo "Analyzing..."
+codeql database analyze codeql-db codeql/cpp-queries:codeql-suites/cpp-security-and-quality.qls --format=csv --output=codeql-db/results.csv
+echo "Analysis complete. Results in codeql-db/results.csv"
+cat codeql-db/results.csv