Add CodeQL workflow analysis for self-hosted runners with JDK runtime support

[Copilot]

Overview

This PR implements a comprehensive CodeQL analysis workflow configured for self-hosted runners with full JDK runtime support and database creation notifications.

Problem Statement

The repository required a CodeQL workflow that:

• Runs on self-hosted infrastructure for better control
• Provides checkout notifications during CodeQL CLI database creation
• Supports JDK runtime analysis for Java/C++ codebases

Solution

Created .github/workflows/codeql-analysis.yml with the following capabilities:

Key Features

Self-Hosted Runner Configuration

• Configured to run on self-hosted runners instead of GitHub-hosted
• Extended timeout (360 minutes) for comprehensive analysis
• Matrix strategy supporting both Java and C++ languages

JDK Runtime Environment Setup

• Automatic JDK 17 (Temurin distribution) installation
• Maven dependency caching for faster builds
• Build tool detection (Maven/Gradle) with automatic compilation

CodeQL CLI Database Creation with Notifications
The workflow provides detailed notifications at each stage:

- name: Notification - CodeQL CLI database initialization
  run: |
    echo "::notice title=CodeQL Initialization::Starting CodeQL CLI database creation for ${{ matrix.language }}"
    echo "Runner: self-hosted"
    echo "Language: ${{ matrix.language }}"
    echo "JDK Runtime: $(java -version 2>&1 || echo 'N/A')"

Analysis and Reporting

• Security and quality query suites enabled
• SARIF results uploaded to GitHub Security tab
• CodeQL databases saved as artifacts (7-day retention)
• Completion notifications with status reporting

Workflow Triggers

• Push: Automatic analysis on main branch commits
• Pull Request: Analysis on PRs targeting main
• Schedule: Weekly security scans (Sunday midnight UTC)

Documentation

Added comprehensive documentation in .github/workflows/README.md covering:

• Workflow features and configuration
• Self-hosted runner requirements
• Troubleshooting guide
• Best practices for code scanning

Testing

• ✅ YAML syntax validation passed
• ✅ Workflow structure follows GitHub Actions best practices
• ✅ Proper permissions configured for security events

Benefits

1. Enhanced Security: Automated vulnerability detection on every commit
2. Self-Hosted Control: Run analysis on your own infrastructure
3. JDK Support: Full Java runtime analysis with build tool integration
4. Transparency: Detailed notifications throughout the analysis process
5. Compliance: Regular scheduled scans for continuous security monitoring

Requirements for Self-Hosted Runners

Ensure your self-hosted runner has:

• Git for repository checkout
• Java 17+ for JDK runtime analysis
• Maven or Gradle for Java builds
• Sufficient disk space for database storage

Results will be available in the Security → Code scanning tab after workflow completion.

Original prompt

Describe CodeQL workflow analysis token self-hosted. While checkout notification CodeQL CLI databases of JDK runtime

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[kadSerrCX]

Add symbol matcher that compose 'env' of model control v2.2

[kadSerrCX]

Learn CodeQL efficient queries, upload to set-upstream in VSCode, differ from actual branch about variant

[kadSerrCX]

2010-2026©ARM PR weekly status: std_if,fi
Graph submit elif, else. Removal of package ::notice CodeQL remarkable testing suite
[If submission gets published](http://github.com/codec5jchain/.github/README.md#Security enhancement)