From 62eaa6f951cd168fbfbc2000461787ca1ef7a1be Mon Sep 17 00:00:00 2001
From: Markus Lehtonen <markus.lehtonen@intel.com>
Date: Fri, 22 Dec 2023 20:04:09 +0200
Subject: [PATCH] github: enhance codeql action to generate pdf report

This is enabled on the release workflow (triggered on new tags).
---
 .github/workflows/common-codeql.yaml | 18 ++++++++++++++++++
 .github/workflows/release.yaml       |  5 +++++
 2 files changed, 23 insertions(+)

diff --git a/.github/workflows/common-codeql.yaml b/.github/workflows/common-codeql.yaml
index 0e70cf9..cf2550c 100644
--- a/.github/workflows/common-codeql.yaml
+++ b/.github/workflows/common-codeql.yaml
@@ -1,6 +1,11 @@
 name: CodeQL
 on:
   workflow_call:
+    inputs:
+      export-report:
+        default: false
+        required: false
+        type: boolean
 
 jobs:
   codeql-scan:
@@ -17,3 +22,16 @@ jobs:
 
     - name: Perform CodeQL Analysis
       uses: github/codeql-action/analyze@v2
+
+    - name: Generate CodeQL Security Report
+      uses: rsdmike/github-security-report-action@v3.0.4
+      with:
+        template: report
+        token: ${{ secrets.GITHUB_TOKEN }}
+
+    - name: Upload PDF report as an artifact
+      if: ${{ inputs.export-report }}
+      uses: actions/upload-artifact@v3
+      with:
+        name: codeql-report
+        path: report.pdf
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 25e4019..021c8da 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -13,3 +13,8 @@ jobs:
     uses: "./.github/workflows/common-trivy.yaml"
     with:
       export-csv: true
+
+  codeql:
+    uses: "./.github/workflows/common-codeql.yaml"
+    with:
+      export-report: true