Looking at the results here, it appears that the C++ job is uploading results for 0 files. But so far, it seems like it'salways done that? I'm investigating older runs to see if this ever worked and/or when it broke.

I suspected that this changed with the Meson build, and looking at Code Scanning results, they were indeed all "fixed" (even the closed ones) as of Oct 4, 2023 by the merging of#26621.

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear onthis overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check outthe documentation.

Maybe you have already tried this in your previous attempts, but I was inspired to set up the same thing for one of my repositories when I saw this and with the default template it worked pretty simple. I basically skipped the autobuild and just installed it with pip. (And had to add a setup-python-step to be able to install using meson.)

However, I assume that the remaining problem is that not that many of the files are considered?

FWIW:https://github.com/apytypes/apytypes/blob/main/.github/workflows/codeql.yml

Oh, that's interesting; I would've thought that just building (as we used to do) would be equivalent, unless it's something to do with where it builds. I'll give that a try as well.

Thanks, that worked and looks even simpler to me:

CodeQL scanned 79 out of 162 C files and 25 out of 60 C++ files in this job.

(Note: we get some extra from Qhull/FreeType/etc, so we get more C files than we actually have. We could maybe configure it to ignore those.)

But note that we don't need a new Python, just upgradingpip, as that fixes the automatic install ofmeson/ninja/pybind11.

Looks good. One of the checks is complaining that:

Warning: Code scanning cannot determine the alerts introduced by this pull request, because 1 configuration present on refs/heads/main was not found

(https://github.com/matplotlib/matplotlib/pull/27733/checks?check_run_id=21143960748)

I'm guessing this will get fixed upon merging this into main?

Yes, I believe that's because we "lost" the C/C++ results onmain for a long while now.

All of the new alerts are in thesubprojects directory (i.e freetype/qhull code), so we can probably either mark them aswon't fix (like we have for some inttconv/otherextern things) or filter out the subprojects directory from results, as I don't think we are going to change that code.