Add CodeQL run for GitHub Actions (#343)

* Add CodeQL run for GitHub Actions

CodeQL now supports analysis of GitHub Action scripts.

* Add permissions

* Remove old pre-release changelog

Author: ppkarwasz

.github/workflows/codeql-analysis-reusable.yaml

@@ -27,7 +27,7 @@ on:
       # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'kotlin', 'python', 'ruby' ]
       # Learn more about CodeQL language support at https://git.io/codeql-language-support
       language:
-        description:
+        description: Language used in the repository
         default: java
         type: string
 
@@ -45,7 +45,8 @@ jobs:
       - name: Initialize CodeQL
         uses: github/codeql-action/init@6bb031afdd8eb862ea3fc1848194185e076637e5    # 3.28.11
         with:
-          languages: ${{ inputs.language }}
+          # Also check GitHub Actions
+          languages: ${{ inputs.language }}, actions
 
       - name: Setup JDK
         uses: actions/setup-java@3a4f6e1af504cf6a31855fa899c6aa5355ba6c12   # 4.7.0

.github/workflows/codeql-analysis.yaml

@@ -0,0 +1,54 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to you under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+##
+# Perform CodeQL analysis of GitHub Actions
+name: codeql-analysis
+
+on:
+  push:
+    branches: [ "main" ]
+  pull_request:
+    branches: [ "main" ]
+  schedule:
+    - cron: '32 12 * * 5'
+
+permissions: {}
+
+jobs:
+
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    # Permissions required to publish Security Alerts
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    steps:
+
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683   # 4.2.2
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0    # 3.28.9
+        with:
+          languages: actions
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0    # 3.28.9

…x.x/update_dependabot_fetch_metadata.xml src/changelog/.12.x.x/codeql_for_gha.xmlsrc/changelog/.11.x.x/update_dependabot_fetch_metadata.xml renamed to src/changelog/.12.x.x/codeql_for_gha.xml src/changelog/.11.x.x/update_dependabot_fetch_metadata.xml renamed to src/changelog/.12.x.x/codeql_for_gha.xml

@@ -2,7 +2,6 @@
 <entry xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xmlns="https://logging.apache.org/xml/ns"
        xsi:schemaLocation="https://logging.apache.org/xml/ns https://logging.apache.org/xml/ns/log4j-changelog-0.xsd"
-       type="updated">
-  <issue id="322" link="https://github.com/apache/logging-parent/pull/322"/>
-  <description format="asciidoc">Update `dependabot/fetch-metadata` to version `2.3.0`</description>
+       type="changed">
+  <description format="asciidoc">Add "GitHub Actions" to the list of languages analyzed by CodeQL.</description>
 </entry>