Add CodeQL workflow for GitHub code scanning

[pattivacek]

See advancedtelematic/aktualizr#1830.

[codecov-commenter]

⚠️ Please install the to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 84.46%. Comparing base (c54afdd) to head (a6b5f05).
⚠️ Report is 78 commits behind head on master.
❗ Your organization needs to install the Codecov GitHub app to enable full functionality.

Additional details and impacted files

@@           Coverage Diff           @@
##           master      #95   +/-   ##
=======================================
  Coverage   84.46%   84.46%           
=======================================
  Files         172      172           
  Lines       12284    12284           
=======================================
  Hits        10376    10376           
  Misses       1908     1908           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[mike-sul]

The CodeQL failures are mostly in the tests/test fixtures. I wonder whether we should fix it or just turn the codeql check for the tests at all.

[cajun-rat]

I like the idea, but I think we should get all the checks green (or disable the troublesome ones) before merging. The error appears to be with setting up the build environment: Could NOT find Boost (missing: Boost_INCLUDE_DIR log_setup log system.

[pattivacek]

The CodeQL failures are mostly in the tests/test fixtures. I wonder whether we should fix it or just turn the codeql check for the tests at all.

Valid question. Typically we've been less strict about the tests, and I'm okay with that continuing to be the case.

I think we should get all the checks green (or disable the troublesome ones) before merging.

100% agree. I haven't had time to really dig into this but I figured putting it up was better than nothing.