From 69b8b690fe010f2d6c4ecd1124b05253dc0b7834 Mon Sep 17 00:00:00 2001
From: Andreas Motl <andreas.motl@crate.io>
Date: Thu, 14 Nov 2024 00:45:21 +0100
Subject: [PATCH] Chore: Suppress unqualified CodeQL admonitions

GitHub's CodeQL flags [1] those spots with "Unused global variable" [2].

Based on a suggestion [3], this patch attempts to use the
`advanced-security/dismiss-alerts` [4] GitHub Action recipe to provide
measures to suppress CodeQL flagging by using inline code annotations.

[1] https://github.com/crate/crate-python/security/code-scanning
[2] https://codeql.github.com/codeql-query-help/python/py-unused-global-variable/
[3] Issue 11427 at https://github.com/github/codeql/issues
[4] https://github.com/advanced-security/dismiss-alerts
---
 .github/workflows/codeql.yml | 19 +++++++++++++++++++
 src/crate/client/__init__.py |  1 +
 2 files changed, 20 insertions(+)

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 6a23088d..0e099fca 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -53,6 +53,8 @@ jobs:
           languages: ${{ matrix.language }}
           config-file: ./.github/codeql.yml
           queries: +security-and-quality
+          # run an 'alert-suppression' query
+          packs: "codeql/${{ matrix.language }}-queries:AlertSuppression.ql"
 
       #- name: Autobuild
       #  uses: github/codeql-action/autobuild@v2
@@ -62,4 +64,21 @@ jobs:
           uv pip install --system '.[test]'
 
       - name: Perform CodeQL Analysis
+        id: analyze
         uses: github/codeql-action/analyze@v3
+        with:
+          category: "/language:${{matrix.language}}"
+          # define the output folder for SARIF files
+          output: sarif-results
+
+      # Unlock inline mechanism to suppress CodeQL warnings.
+      # https://github.com/github/codeql/issues/11427#issuecomment-1721059096
+      - name: Dismiss alerts
+        # if: github.ref == 'refs/heads/main'
+        uses: advanced-security/dismiss-alerts@v1
+        with:
+          # specify a 'sarif-id' and 'sarif-file'
+          sarif-id: ${{ steps.analyze.outputs.sarif-id }}
+          sarif-file: sarif-results/${{ matrix.language }}.sarif
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
diff --git a/src/crate/client/__init__.py b/src/crate/client/__init__.py
index 35a53d6e..61a61a88 100644
--- a/src/crate/client/__init__.py
+++ b/src/crate/client/__init__.py
@@ -31,6 +31,7 @@
 # regex!
 __version__ = "1.0.0"
 
+# codeql[py/unused-global-variable]
 apilevel = "2.0"
 threadsafety = 1
 paramstyle = "qmark"