workflows: add CodeQL analysis workflow for GitHub Actions

.github/workflows/build_all.yml

@@ -8,6 +8,9 @@ name: Build test all components
 # yamllint disable-line rule:truthy
 on: [pull_request, workflow_dispatch, workflow_call]
 
+permissions:
+  contents: read
+
 jobs:
 
   stub-build:

.github/workflows/codeql.yml

@@ -0,0 +1,50 @@
+---
+name: "CodeQL Analysis"
+# yamllint disable-line rule:truthy
+on:
+  pull_request:
+    branches:
+      - 'main'
+
+permissions:
+  contents: read
+
+# Specifies group name that stops previous workflows if the name matches
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event_name }}-${{ github.head_ref || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  analyze:
+    name: Analyze GitHub Actions Workflows
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write  # Required to upload SARIF results
+      actions: read           # Required to read workflow information
+      contents: read          # Required to checkout repository
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: ['actions']  # Analyze GitHub Actions workflows
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@0d579ffd059c29b07949a3cce3983f0780820c98  # v4
+        with:
+          languages: ${{ matrix.language }}
+          # Optional: Specify custom queries
+          # queries: security-extended,security-and-quality
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@0d579ffd059c29b07949a3cce3983f0780820c98  # v4
+        with:
+          category: "/language:${{ matrix.language }}"
+          upload: true
+          # Upload SARIF results to GitHub Security tab
+          output: sarif-results

.github/workflows/codestyle.yml

@@ -14,6 +14,9 @@ name: codestyle
 # yamllint disable-line rule:truthy
 on: [pull_request, workflow_call, workflow_dispatch]
 
+permissions:
+  contents: read
+
 jobs:
   checkpatch:
     runs-on: ubuntu-22.04

.github/workflows/daily-tests.yml

@@ -13,6 +13,9 @@ on:
   # Allows you to run this workflow manually from the Actions tab
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
 
   # Keep in .yml alphabetical order

.github/workflows/ipc_fuzzer.yml

@@ -22,6 +22,9 @@ on:
   pull_request:
   # TODO: can we provide a default inputs here too?
 
+permissions:
+  contents: read
+
 jobs:
 
   simple-IPC-fuzz_sh:

.github/workflows/llext.yml

@@ -11,6 +11,9 @@ defaults:
   run:
     shell: bash
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-22.04

.github/workflows/pull-request.yml

@@ -31,6 +31,9 @@ on:
   # Allows to call this forkflow from other workflows
   workflow_call:
 
+permissions:
+  contents: read
+
 jobs:
 
   doxygen:

.github/workflows/repro-build.yml

@@ -14,6 +14,9 @@ name: Reproducible builds
 # yamllint disable-line rule:truthy
 on: [pull_request, workflow_dispatch, workflow_call]
 
+permissions:
+  contents: read
+
 jobs:
   main:
     runs-on: ubuntu-22.04

.github/workflows/rimage.yml

@@ -22,6 +22,9 @@ on:
     paths:
       - tools/rimage/**
 
+permissions:
+  contents: read
+
 jobs:
 
   # Basic build test

.github/workflows/sof-docs.yml

@@ -17,6 +17,9 @@ on:
   # Allows to call this forkflow from other workflows
   workflow_call:
 
+permissions:
+  contents: read
+
 jobs:
 
   # This is unfortunately a mix of sof-docs/.github/ + pull-request.yml#doxygen

.github/workflows/sparse-zephyr.yml

@@ -11,6 +11,9 @@ defaults:
   run:
     shell: bash
 
+permissions:
+  contents: read
+
 jobs:
   # As of sparse commit ce1a6720f69e / Sept 2022, the exit status of
   # sparse.c is an unusable mess and always zero in practice. Moreover

.github/workflows/testbench.yml

@@ -28,6 +28,9 @@ on:
   workflow_dispatch:
   workflow_call:
 
+permissions:
+  contents: read
+
 jobs:
   build-and-test:
     runs-on: ubuntu-24.04

.github/workflows/tools.yml

@@ -7,6 +7,9 @@ name: User space tools/ directory
 # yamllint disable-line rule:truthy
 on: [pull_request, workflow_dispatch, workflow_call]
 
+permissions:
+  contents: read
+
 jobs:
   # This is not the same as building every ./build-tools.sh option.
   top-level_default_CMake_target_ALL:

.github/workflows/unit-tests.yml

@@ -10,6 +10,9 @@ name: Unit tests
 # yamllint disable-line rule:truthy
 on: [pull_request, workflow_dispatch, workflow_call]
 
+permissions:
+  contents: read
+
 jobs:
   cmocka_utests:
     runs-on: ubuntu-latest

.github/workflows/zephyr.yml

@@ -14,6 +14,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event_name }}-${{ github.head_ref || github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   manifest-check:
     runs-on: ubuntu-latest
@@ -395,7 +398,7 @@ jobs:
       # https://github.com/actions/runner-images/blob/win22/20230918.1/images/win/Windows2022-Readme.md
       # Is it not good enough? Maybe it could save 20-30s.
       - name: Initialize MSYS2
-        uses: msys2/setup-msys2@v2
+        uses: msys2/setup-msys2@cafece8e6baf9247cf9b1bf95097b0b983cc558d  # v2
         with:
           msystem: MSYS
           install: gcc openssl-devel