Initial implementation of codeql workflow

[tomk-amd]

Motivation

Add a CodeQL work flow.

[Copilot]

Pull request overview

This PR introduces CodeQL security scanning to the repository by adding a GitHub Actions workflow that runs automated static analysis on C++ code.

Key Changes:

• New CodeQL workflow configured to run on pushes, pull requests, and weekly schedule
• CodeQL configuration that excludes third-party dependencies and build artifacts
• Workflow includes dependency installation for Vulkan SDK and Wayland libraries required for the build

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File	Description
.github/workflows/codeql-analysis.yml	Defines the CodeQL workflow with build steps and analysis configuration
.github/codeql/codeql-config.yml	Configures CodeQL to exclude third-party code and use security-and-quality queries

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated no new comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The GPG key is being downloaded over HTTPS without verification. While HTTPS provides transport security, it's a best practice to verify the GPG key fingerprint after download to ensure authenticity, especially for security-critical operations like package signing keys.

Suggested change

	libdbus-1-dev
	echo "✅ Dependencies Installed!"
	- name: Install Vulkan SDK
	run: |
	wget -qO- https://packages.lunarg.com/lunarg-signing-key-pub.asc | sudo tee /etc/apt/trusted.gpg.d/lunarg.asc
	libdbus-1-dev \
	gnupg
	echo "✅ Dependencies Installed!"
	- name: Install Vulkan SDK
	run: |
	set -euo pipefail
	# Download Lunarg public signing key to a temporary file
	LUNARG_KEY_TMP="$(mktemp)"
	wget -qO "$LUNARG_KEY_TMP" https://packages.lunarg.com/lunarg-signing-key-pub.asc
	# Expected Lunarg GPG key fingerprint (update this to the official Lunarg key fingerprint)
	EXPECTED_LUNARG_FPR="REPLACE_WITH_OFFICIAL_LUNARG_KEY_FINGERPRINT"
	# Extract actual fingerprint from downloaded key
	ACTUAL_LUNARG_FPR="$(gpg --show-keys --with-colons "$LUNARG_KEY_TMP" | awk -F: '/^fpr:/ {print $10; exit}')"
	if [ -z "$ACTUAL_LUNARG_FPR" ]; then
	echo "Failed to extract Lunarg GPG key fingerprint." >&2
	rm -f "$LUNARG_KEY_TMP"
	exit 1
	fi
	if [ "$ACTUAL_LUNARG_FPR" != "$EXPECTED_LUNARG_FPR" ]; then
	echo "Lunarg GPG key fingerprint mismatch!" >&2
	echo "Expected: $EXPECTED_LUNARG_FPR" >&2
	echo "Actual: $ACTUAL_LUNARG_FPR" >&2
	rm -f "$LUNARG_KEY_TMP"
	exit 1
	fi
	# Install verified key into APT trusted keyring
	sudo gpg --dearmor < "$LUNARG_KEY_TMP" | sudo tee /etc/apt/trusted.gpg.d/lunarg.gpg >/dev/null
	rm -f "$LUNARG_KEY_TMP"
	# Configure Lunarg Vulkan APT repository

[github-advanced-security]

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.