Remove CodeQL scanner & move others to new weekly schedule (#1109)

GitHub enhanced their CodeQL scanner and its configuration options since
the time I originally wrote the custom workflow file here. It's now
easier to simply use GitHub's repository options for setting up CodeQL.
No need to maintain our own workflow anymore.

Also, the other scanners (OSV and Scorecard) are run on every PR, so
there is not much value in running also running them nightly. I moved
them to a new weekly workflow because it's still worth running them
regularly.

Finally, this updates the workflows to the latest versions used in our
template repo.

---------

Co-authored-by: Pavol Juhas <[email protected]>

Author: mhucka

.github/workflows/codeql.yaml

@@ -74,7 +74,7 @@ jobs:
 
     steps:
       - name: Check out a copy of the OpenFermion git repository
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
 
       - name: Set up Python ${{matrix.python-version}}
         uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5

.github/workflows/nightly-pytest.yaml

@@ -13,14 +13,12 @@
 # limitations under the License.
 
 # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-# Nightly tests and scans workflow.
-#
 # This workflow runs nightly to run tests & scans on the OpenFermion codebase.
 # It can also be invoked manually via the "Run workflow" button at
 # https://github.com/quantumlib/OpenFermion/actions/workflows/nightly.yaml
 # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-name: 'Nightly tests & scans'
+name: 'Nightly tests'
 run-name: Run nightly tests and code scans
 
 on:
@@ -47,25 +45,3 @@ jobs:
     with:
       args: '--pre'
       reason: '(nightly)'
-
-  codeql:
-    name: Nightly CodeQL code scan
-    uses: ./.github/workflows/codeql.yaml
-    permissions: write-all
-    with:
-      reason: '(nightly)'
-
-  osv:
-    name: Nightly OSV code scan
-    uses: ./.github/workflows/osv-scanner.yaml
-    permissions: write-all
-    with:
-      reason: '(nightly)'
-
-  scorecard:
-    name: Nightly Scorecard analysis
-    uses: ./.github/workflows/scorecard.yaml
-    permissions: write-all
-    secrets: inherit
-    with:
-      reason: '(nightly)'

.github/workflows/nightly.yaml

@@ -20,18 +20,18 @@
 # JavaScript, and others. The findings are reported in the repo's code-scanning
 # results page, https://github.com/quantumlib/REPO/security/code-scanning/.
 #
-# The OSV project provides a GA workflow that you can reference as a step with
+# Note: the OSV project provides a workflow you can reference as a step with
 # uses: google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml.
 # Unfortunately, that workflow hardcodes some behaviors (such as uploading the
-# SARIF file to the workflow Actions tab, which we rarely need). The workflow
-# below is basically a heavily modified version of theirs.
+# SARIF file to the workflow Actions tab, which we have never needed). The
+# workflow in this file is basically a heavily modified version of theirs.
 #
 # For more OSV scanner examples and options, including how to ignore specific
 # vulnerabilities, see https://google.github.io/osv-scanner/github-action/.
 # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-name: OSV code scan
-run-name: Run OSV vulnerability scanner ${{inputs.reason}}
+name: OSV known vulnerabilities scanner
+run-name: Run OSV (open-source vulnerabilities) scanner ${{inputs.reason}}
 
 on:
   pull_request:
@@ -45,20 +45,36 @@ on:
     types:
       - checks_requested
 
-  # Allow manual invocation.
-  workflow_dispatch:
-
-  # Allow calling from nightly.yaml.
+  # Allow calling from other workflows.
   workflow_call:
     inputs:
       reason:
+        description: 'Append text to workflow run name:'
         type: string
+      debug:
+        description: 'Run with debugging options'
+        type: boolean
+        default: false
+
+  # Allow manual invocation.
+  workflow_dispatch:
+    inputs:
+      debug:
+        description: 'Run with debugging options'
+        type: boolean
+        default: true
 
-# Declare default permissions as read only.
+# Declare default workflow permissions as read only.
 permissions: read-all
 
+concurrency:
+  # Cancel any previously-started but still active runs on the same branch.
+  cancel-in-progress: true
+  group: ${{github.workflow}}-${{github.event.pull_request.number||github.ref}}
+
 jobs:
   osv-scan:
+    if: github.repository_owner == 'quantumlib'
     name: Run OSV scanner
     runs-on: ubuntu-24.04
     timeout-minutes: 15
@@ -69,9 +85,12 @@ jobs:
       security-events: write
       # Needed to upload SARIF file to CodeQL.
       contents: read
+    env:
+      # Setting Bash SHELLOPTS here takes effect for all shell commands below.
+      SHELLOPTS: ${{inputs.debug && 'xtrace' || '' }}
     steps:
       - name: Check out a copy of the git repository
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
         with:
           fetch-depth: 0
 
@@ -82,10 +101,11 @@ jobs:
 
       - name: Run OSV scanner on existing code
         # yamllint disable rule:line-length
-        uses: google/osv-scanner-action/osv-scanner-action@456ceb78310755116e0a3738121351006286b797 # v2.2.1
+        uses: google/osv-scanner-action/osv-scanner-action@b00f71e051ddddc6e46a193c31c8c0bf283bf9e6 # v2.1.0
         continue-on-error: true
         with:
           scan-args: |-
+            --include-git-root
             --format=json
             --output=old-results.json
             --recursive
@@ -99,18 +119,19 @@ jobs:
 
       - name: Run OSV scanner on new code
         # yamllint disable rule:line-length
-        uses: google/osv-scanner-action/osv-scanner-action@456ceb78310755116e0a3738121351006286b797 # v2.2.1
+        uses: google/osv-scanner-action/osv-scanner-action@b00f71e051ddddc6e46a193c31c8c0bf283bf9e6 # v2.1.0
         continue-on-error: true
         with:
           scan-args: |-
+            --include-git-root
             --format=json
             --output=new-results.json
             --recursive
             ./
 
       - name: Run the OSV scanner reporter
         # yamllint disable rule:line-length
-        uses: google/osv-scanner-action/osv-reporter-action@456ceb78310755116e0a3738121351006286b797 # v2.2.1
+        uses: google/osv-scanner-action/osv-reporter-action@b00f71e051ddddc6e46a193c31c8c0bf283bf9e6 # v2.1.0
         with:
           scan-args: |-
             --output=osv-results.sarif
@@ -122,10 +143,18 @@ jobs:
       - name: Upload results to the repository's code-scanning results dashboard
         id: upload_artifact
         # yamllint disable rule:line-length
-        uses: github/codeql-action/upload-sarif@96f518a34f7a870018057716cc4d7a5c014bd61c # v3.29.10
+        uses: github/codeql-action/upload-sarif@51f77329afa6477de8c49fc9c7046c15b9a4e79d # v3.29.5
         with:
           sarif_file: osv-results.sarif
 
+      - if: github.event.inputs.debug == true
+        name: Upload results as artifacts to the workflow Summary page
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
       - name: Error troubleshooter
         if: ${{always() && steps.upload_artifact.outcome == 'failure'}}
         run: echo '::error::Artifact upload failed. Check the workflow logs.'

.github/workflows/osv-scanner.yaml

@@ -36,27 +36,41 @@ on:
     types:
       - checks_requested
 
-  # Allow manual invocation.
-  workflow_dispatch:
-
   # Allow calling from nightly.yaml.
   workflow_call:
     inputs:
       reason:
+        description: 'Append text to workflow run name:'
         type: string
+      debug:
+        description: 'Run with debugging options'
+        type: boolean
+        default: false
 
-# Declare default permissions as read only.
+  # Allow manual invocation.
+  workflow_dispatch:
+    inputs:
+      debug:
+        description: 'Run with debugging options'
+        type: boolean
+        default: true
+
+# Declare default workflow permissions as read only.
 permissions: read-all
 
 jobs:
   scorecard:
+    if: github.repository_owner == 'quantumlib'
     name: Run Scorecard analyzer
     runs-on: ubuntu-24.04
-    permissions: write-all
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
     timeout-minutes: 15
     steps:
       - name: Check out a copy of the git repository
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
         with:
           persist-credentials: false
 
@@ -72,6 +86,14 @@ jobs:
           publish_results: true
 
       - name: Upload results to code-scanning dashboard
-        uses: github/codeql-action/upload-sarif@96f518a34f7a870018057716cc4d7a5c014bd61c # v3
+        uses: github/codeql-action/upload-sarif@51f77329afa6477de8c49fc9c7046c15b9a4e79d # v3.29.5
         with:
           sarif_file: scorecard-results.sarif
+
+      - if: github.event.inputs.debug == true
+        name: Upload results as artifacts to the workflow Summary page
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5