enable codeql for python and gh actions

[cgoea]

Motivation

Minimal implementation of codeql for python and github actions. First step in enabling codeql. Second step should compile the rock with ccache off and with codeql flags.

Technical Details

Runs on each pull request and on schedule Saturday at 10 UTC. Pull requests are limited only to paths containing python scripts and gh actions.

Submission Checklist

• Look over the contributing guidelines at https://github.com/ROCm/ROCm/blob/develop/CONTRIBUTING.md#pull-requests.

[github-advanced-security]

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

• The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
• Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
• You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

[HereThereBeDragons]

@jayhawk-commits can you comment on here if we need codeql extra here or is the github code thing you enabled including it?

[jayhawk-commits]

@jayhawk-commits can you comment on here if we need codeql extra here or is the github code thing you enabled including it?

I disabled the GitHub Code Quality feature because there was no option to disable the AI feature of it, from what I saw.

[ScottTodd]

@jayhawk-commits can you comment on here if we need codeql extra here or is the github code thing you enabled including it?

I disabled the GitHub Code Quality feature because there was no option to disable the AI feature of it, from what I saw.

I wonder if "copilot code review" here lets us keep codeql but disable copilot: https://github.com/ROCm/TheRock/settings/copilot/coding_agent

Doesn't seem like it given https://github.com/ROCm/TheRock/settings/code-quality though

[HereThereBeDragons]

maybe as a note: right now it does not support python 3.14

Python [9] | 2.7, 3.5, 3.6, 3.7, 3.8, 3.9, 3.10, 3.11, 3.12, 3.13
https://codeql.github.com/docs/codeql-overview/supported-languages-and-frameworks/

[HereThereBeDragons]

pull_request:
    branches: [main]
    paths-ignore:
      - '**/*.md'
      - '**/*.txt'

maybe worth extending at one point
https://docs.github.com/en/code-security/reference/code-scanning/workflow-configuration-options

[HereThereBeDragons]

are we happy with the default config they are providing?