From 42dbcfcbfebbcea16028c297422113f02a89b4b1 Mon Sep 17 00:00:00 2001
From: Andrew Brown <andrew.brown@intel.com>
Date: Thu, 26 Sep 2024 15:30:06 -0700
Subject: [PATCH 1/2] ci: add `clippy` results to GitHub code scans

In the past, we've overlooked clippy warnings that get lost in the CI
build logs. This change would collect all of those warnings, put them in
[SARIF] form, and list them in GitHub's code scanning view. I recently
added this to `ittapi` and it looks like this: [Code Scanning]. This
means warnings and errors will show up on the security tab as a
notification; the UI allows one to dismiss the warnings. There might be
some integration with PRs but I haven't experimented with that.

I configured this to also run periodically (every Tuesday night); we can
remove that if we only want commits to `main`, e.g. If we do adopt this,
we should think about what to do with the `clippy` job in
`main.yml`--does it stay or go?

[SARIF]: https://sarifweb.azurewebsites.net
[Code Scanning]: https://github.com/intel/ittapi/security/code-scanning?query=branch%3Amaster+
---
 .github/workflows/scan.yml | 54 ++++++++++++++++++++++++++++++++++++++
 1 file changed, 54 insertions(+)
 create mode 100644 .github/workflows/scan.yml

diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
new file mode 100644
index 000000000000..9d5836036e1b
--- /dev/null
+++ b/.github/workflows/scan.yml
@@ -0,0 +1,54 @@
+# Scan the code in this repository; publish results to
+# https://github.com/bytecodealliance/wasmtime/security/code-scanning.
+
+name: Code Scan
+
+on:
+  push:
+    branches: ["main"]
+  pull_request:
+    branches: ["main"]
+  schedule:
+    - cron: "4 3 * * 2"
+
+permissions:
+  contents: read
+
+jobs:
+  analyze:
+    name: Analyze (Rust)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
+    env:
+        CARGO_NDK_VERSION: 2.12.2
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+            submodules: true
+
+      - uses: ./.github/actions/install-rust
+
+      - name: Install clippy
+        run: rustup component add clippy
+
+      - name: Install cargo-binstall
+        uses: cargo-bins/cargo-binstall@3a99ae3c155195e5518c9ff954bee1b90f98b82c # v1.10.6
+
+      - name: Install dependencies
+        run: cargo binstall --no-confirm clippy-sarif sarif-fmt
+
+      - name: Run clippy
+        run: |
+          cargo clippy --workspace --all-targets --message-format=json > clippy.json
+          clippy-sarif --input clippy.json --output clippy.sarif
+          sarif-fmt --input clippy.sarif
+        continue-on-error: true
+
+      - name: Upload analysis
+        uses: github/codeql-action/upload-sarif@5618c9fc1e675841ca52c1c6b1304f5255a905a0 # v2.19.0
+        with:
+          sarif_file: clippy.sarif
+          wait-for-processing: true

From 671f0ccb553a5ba2fcf928583108e7b3a16baff7 Mon Sep 17 00:00:00 2001
From: Andrew Brown <andrew.brown@intel.com>
Date: Wed, 2 Oct 2024 08:23:15 -0700
Subject: [PATCH 2/2] debug: add `clippy.question_mark`

---
 Cargo.toml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/Cargo.toml b/Cargo.toml
index e4dbe38a34b6..bb093fbb3cf3 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -187,6 +187,7 @@ manual_strip = 'warn'
 unnecessary_mut_passed = 'warn'
 unnecessary_fallible_conversions = 'warn'
 unnecessary_cast = 'warn'
+question_mark = 'warn'
 
 [workspace.dependencies]
 arbitrary = { version = "1.3.1" }