Fix .github/codeql/codeql-config.yml for corrected workflow

Remove unnecessary Test step

Use Ninja to generate `compile_commands.json` instead of a full build

Copy compile_commands.json to the correct place

Diagnosis for compile_commands.json issues

More diagnostics for compile_commands.json issues

Revert "Use Ninja to generate `compile_commands.json` instead of a full build"

This reverts commit 0cc2448.

Further attempts to help codeql

Disable CodeQL autobuild

Configure CMake to use CodeQL's compiler wrapper

Revert to `build_mode: none`

Consider C++, Python and GitHub Actions separately

More corrections to matrixed workflow

Try different inputs

Use default path in config

Ignore Python test scripts correctly

Fix C++ instrumentation

Fix parse error

fix(ci): Resolve CodeQL PRELOAD error by isolating build environment

The CodeQL analysis was failing with an `LD_PRELOAD` error because the build-tracing environment set by the `codeql-action/init` step was being overwritten.

The custom `build-cmake` composite action was sourcing the container's `/entrypoint.sh` script, which reset the environment.

This change removes the sourcing of the entrypoint script from the `build-cmake` action. The `setup-build-env` action already configures the necessary environment, making this step redundant and disruptive to CodeQL's build tracing.

More diagnostics

fix(ci): Resolve CodeQL PRELOAD error by preserving environment

The CodeQL analysis was failing with an `LD_PRELOAD` error because the build-tracing environment set by the `codeql-action/init` step was being overwritten by a setup script.

The `configure-cmake` and `build-cmake` composite actions source the container's `/entrypoint.sh` script, which resets the environment and changes `LD_PRELOAD` to an unexpanded, generic value.

This change preserves the `LD_PRELOAD` variable across the sourcing of the entrypoint script in both actions. It saves the value before the script is sourced and restores it immediately after, ensuring that the CodeQL build tracer functions correctly while still allowing the entrypoint script to perform its necessary setup.

Simplify CI actions to attempt to prevent LD_PRELOAD mangling

Restore erroneously-removed `shell: bash` directives

Fix thinko

Better fix to check enviroment

Restore sourcing to actions

Inline configure/build to (hopefully) avoid LD_PRELOAD issues

Fix YAML issue

One last try for LD_PRELOAD

Fix thinko and add diagnostics

Remove redundant diagnostics

Author: greenc-FNAL

.github/actions/README.md

@@ -6,7 +6,7 @@ This directory contains reusable composite actions for Phlex CI/CD workflows.
 
 ### setup-build-env
 
-Sets up the Phlex build environment by sourcing the entrypoint script and creating build directories.
+Verifies the container build environment and creates build directories.
 
 **Inputs:**
 

.github/actions/REFACTORING_SUMMARY.md

@@ -10,11 +10,10 @@ Refactored GitHub Actions workflows to use composite actions for better maintain
 
 **Location**: `.github/actions/setup-build-env/action.yaml`
 
-**Purpose**: Sets up the build environment by sourcing the container entrypoint script and creating directories
+**Purpose**: Verifies the Spack build environment and creates build directories
 
 **Provides**:
 
-- Sources `/entrypoint.sh`
 - Creates build directory
 - Outputs source and build directory paths
 
@@ -41,7 +40,6 @@ Refactored GitHub Actions workflows to use composite actions for better maintain
 
 - Configurable target selection
 - Auto-detected or custom parallel jobs
-- Sources entrypoint for environment
 
 ## Updated Workflows
 

.github/actions/build-cmake/action.yaml

@@ -24,9 +24,6 @@ runs:
   steps:
     - shell: bash
       run: |
-        # Source the container entrypoint script
-        . /entrypoint.sh
-        
         cd "$GITHUB_WORKSPACE/$BUILD_PATH"
         
         # Determine parallel jobs

.github/actions/setup-build-env/action.yaml

@@ -25,9 +25,6 @@ runs:
     - id: setup
       shell: bash
       run: |
-        # Source the container entrypoint script
-        . /entrypoint.sh
-        
         # Create and export build directory
         mkdir -p "$GITHUB_WORKSPACE/$BUILD_PATH"
         

.github/codeql/codeql-config.yml

@@ -5,9 +5,8 @@ queries:
   - uses: security-extended
   - uses: code-quality
 
-paths:
-  - phlex-src/**
 paths-ignore:
-  - phlex-src/build/**
-  - phlex-src/doc/**
-  - phlex-src/test/**
+  - "*-build/**"
+  - build/**
+  - doc/**
+  - test/**

.github/workflows/codeql-analysis.yaml

@@ -17,17 +17,18 @@ permissions:
 
 env:
   BUILD_TYPE: RelWithDebInfo
+  CPP_COMPILER: g++
 
 jobs:
   codeql:
-    name: Analyze with CodeQL
+    name: Analyze ${{ matrix.language }} with CodeQL
     runs-on: ubuntu-24.04
     container:
       image: ghcr.io/framework-r-d/phlex-ci:latest
     strategy:
       fail-fast: false
       matrix: # Necessry to disable yaml-language-server warning
-        single-run: [ true ]
+        language: ['cpp', 'python', 'actions']
     timeout-minutes: 120
     steps:
       - name: Checkout repository
@@ -38,49 +39,37 @@ jobs:
 
       - name: Setup build environment
         uses: ./phlex-src/.github/actions/setup-build-env
+        with:
+          build-path: phlex-build
 
       - name: Initialize CodeQL
         uses: github/codeql-action/init@v4
         with:
-          languages: cpp, python, actions
+          languages: ${{ matrix.language }}
           config-file: phlex-src/.github/codeql/codeql-config.yml
           source-root: phlex-src
-          build-mode: none
-
-      - name: Configure CMake
-        uses: ./phlex-src/.github/actions/configure-cmake
-        with:
-          build-type: ${{ env.BUILD_TYPE }}
+          build-mode: ${{ matrix.language == 'cpp' && 'manual' || 'none' }}
 
-      - name: Build
-        uses: ./phlex-src/.github/actions/build-cmake
-
-      - name: Test
+      - name: Configure and build (C++ only)
+        if: matrix.language == 'cpp'
         run: |
           . /entrypoint.sh
-          cd $GITHUB_WORKSPACE/phlex-build
-          ctest -j $(nproc) || true
-
-      - name: Verify compile_commands.json and publish for diagnostics
-        run: |
-          set -euo pipefail
-          echo "Looking for compile_commands.json in common build locations..."
-          # Prefer phlex-src/build/compile_commands.json
-          if [ -f "$GITHUB_WORKSPACE/phlex-src/build/compile_commands.json" ]; then
-            echo "Found phlex-src/build/compile_commands.json"
-            cp "$GITHUB_WORKSPACE/phlex-src/build/compile_commands.json" "$GITHUB_WORKSPACE/compile_commands.json"
-          elif [ -f "$GITHUB_WORKSPACE/phlex-build/compile_commands.json" ]; then
-            echo "Found phlex-build/compile_commands.json"
-            cp "$GITHUB_WORKSPACE/phlex-build/compile_commands.json" "$GITHUB_WORKSPACE/compile_commands.json"
-          else
-            echo "No compile_commands.json found in phlex-src/build or phlex-build; continuing."
-          fi
-          echo "Workspace listing (for debugging):"
-          ls -la "$GITHUB_WORKSPACE" || true
+          cd "$GITHUB_WORKSPACE/phlex-build"
+          # For reasons unknown, CodeQL's choice of LD_PRELOAD needs to
+          # be corrected
+          export LD_PRELOAD="$SEMMLE_PRELOAD_libtrace64"
+          echo "LD_PRELOAD=$LD_PRELOAD"
+          cmake --preset=default -S "$GITHUB_WORKSPACE/phlex-src" \
+            -B "$GITHUB_WORKSPACE/phlex-build" -GNinja \
+            -DCMAKE_BUILD_TYPE="$BUILD_TYPE" \
+            -DCMAKE_CXX_COMPILER="$CPP_COMPILER" \
+            -DPHLEX_USE_FORM=TRUE \
+            -DFORM_USE_ROOT_STORAGE=TRUE || exit
+          cmake --build . || exit
 
       # Run CodeQL analysis (uploads results to code scanning)
       - name: Perform CodeQL Analysis
         uses: github/codeql-action/analyze@v4
         with:
-          category: "CodeQL"
-          output: codeql-results.sarif
+          checkout_path: phlex-src
+          category: ${{ matrix.language }}