From c560e8f3a890201ace31468b841bd69f3683246e Mon Sep 17 00:00:00 2001
From: Arm Patinyasakdikul <apatinya@amd.com>
Date: Fri, 24 Apr 2026 15:30:10 -0400
Subject: [PATCH 1/5] ci: add CodeQL security scanning workflow

Add CodeQL static analysis workflow following ROCm project standards
(amdsmi/aqlprofile pattern). Scans C/C++ code for security vulnerabilities.

- Runs on develop/mainline branch pushes and PRs
- Weekly scheduled scan on Fridays
- Uses security-extended query suite
- Builds with minimal dependencies (no NIC/MPI) for faster analysis

Part of TheRock component onboarding requirements.
---
 .github/workflows/codeql.yml | 55 ++++++++++++++++++++++++++++++++++++
 1 file changed, 55 insertions(+)
 create mode 100644 .github/workflows/codeql.yml

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
new file mode 100644
index 00000000..74111748
--- /dev/null
+++ b/.github/workflows/codeql.yml
@@ -0,0 +1,55 @@
+name: "CodeQL Security Scanning"
+
+on:
+  push:
+    branches:
+      - develop
+      - mainline
+  pull_request:
+    branches:
+      - develop
+      - mainline
+  schedule:
+    # Weekly scan on Fridays at 6:34 PM UTC
+    - cron: '34 18 * * 5'
+
+jobs:
+  analyze:
+    name: Analyze (C/C++)
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      packages: read
+      actions: read
+      contents: read
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+
+    - name: Install dependencies
+      run: |
+        sudo apt-get update
+        sudo apt-get install -y build-essential cmake libnuma-dev
+
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v3
+      with:
+        languages: c-cpp
+        build-mode: manual
+        queries: security-extended
+
+    - name: Build TransferBench
+      run: |
+        mkdir -p build
+        cd build
+        cmake .. -DCMAKE_BUILD_TYPE=Release \
+                 -DBUILD_LOCAL_GPU_TARGET_ONLY=ON \
+                 -DENABLE_NIC_EXEC=OFF \
+                 -DENABLE_MPI_COMM=OFF
+        make -j $(nproc)
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v3
+      with:
+        category: "/language:c-cpp"

From c6b1f9c70e970527fa8c74113ad986369b70f022 Mon Sep 17 00:00:00 2001
From: Arm Patinyasakdikul <apatinya@amd.com>
Date: Fri, 24 Apr 2026 15:35:27 -0400
Subject: [PATCH 2/5] fix: use ROCm container for CodeQL build

CodeQL analysis needs ROCm/HIP installed to build TransferBench.
Switch to rocm/dev-ubuntu-22.04 container following aqlprofile pattern.

- Add git installation in container
- Configure git safe directory
- Add CMAKE_PREFIX_PATH=/opt/rocm for hip-config.cmake discovery
---
 .github/workflows/codeql.yml | 22 +++++++++++++++++++---
 1 file changed, 19 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 74111748..ca27d4aa 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -17,6 +17,7 @@ jobs:
   analyze:
     name: Analyze (C/C++)
     runs-on: ubuntu-latest
+    container: rocm/dev-ubuntu-22.04:latest
     permissions:
       security-events: write
       packages: read
@@ -24,13 +25,27 @@ jobs:
       contents: read
 
     steps:
+    - name: Install OS requirements
+      timeout-minutes: 10
+      run: |
+        apt update
+        apt install -y software-properties-common
+        apt-add-repository ppa:git-core/ppa
+        apt-get update
+        apt install -y git
+
     - name: Checkout repository
       uses: actions/checkout@v4
 
+    - name: Configure Git Safe Directory
+      run: |
+        git config --global --add safe.directory '*'
+        git config --global --add safe.directory '/__w/TransferBench/TransferBench'
+
     - name: Install dependencies
       run: |
-        sudo apt-get update
-        sudo apt-get install -y build-essential cmake libnuma-dev
+        apt-get update
+        apt-get install -y build-essential cmake libnuma-dev
 
     - name: Initialize CodeQL
       uses: github/codeql-action/init@v3
@@ -46,7 +61,8 @@ jobs:
         cmake .. -DCMAKE_BUILD_TYPE=Release \
                  -DBUILD_LOCAL_GPU_TARGET_ONLY=ON \
                  -DENABLE_NIC_EXEC=OFF \
-                 -DENABLE_MPI_COMM=OFF
+                 -DENABLE_MPI_COMM=OFF \
+                 -DCMAKE_PREFIX_PATH=/opt/rocm
         make -j $(nproc)
 
     - name: Perform CodeQL Analysis

From 17755e3325ac1c2335d30b04f6da8241bac29de0 Mon Sep 17 00:00:00 2001
From: Arm Patinyasakdikul <apatinya@amd.com>
Date: Fri, 24 Apr 2026 16:04:18 -0400
Subject: [PATCH 3/5] ci: add 'candidate' branch to CodeQL trigger list

---
 .github/workflows/codeql.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index ca27d4aa..4384df4a 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -5,6 +5,7 @@ on:
     branches:
       - develop
       - mainline
+      - candidate
   pull_request:
     branches:
       - develop

From eb50327f37ce9bad7fcba10efa571cef128d4ba9 Mon Sep 17 00:00:00 2001
From: Arm Patinyasakdikul <apatinya@amd.com>
Date: Fri, 24 Apr 2026 15:23:36 -0500
Subject: [PATCH 4/5] Potential fix for pull request finding

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
---
 .github/workflows/codeql.yml | 76 ++++++++++++++++++------------------
 1 file changed, 38 insertions(+), 38 deletions(-)

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 4384df4a..3d86c775 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -26,47 +26,47 @@ jobs:
       contents: read
 
     steps:
-    - name: Install OS requirements
-      timeout-minutes: 10
-      run: |
-        apt update
-        apt install -y software-properties-common
-        apt-add-repository ppa:git-core/ppa
-        apt-get update
-        apt install -y git
+      - name: Install OS requirements
+        timeout-minutes: 10
+        run: |
+          apt update
+          apt install -y software-properties-common
+          apt-add-repository ppa:git-core/ppa
+          apt-get update
+          apt install -y git
 
-    - name: Checkout repository
-      uses: actions/checkout@v4
+      - name: Checkout repository
+        uses: actions/checkout@v4
 
-    - name: Configure Git Safe Directory
-      run: |
-        git config --global --add safe.directory '*'
-        git config --global --add safe.directory '/__w/TransferBench/TransferBench'
+      - name: Configure Git Safe Directory
+        run: |
+          git config --global --add safe.directory '*'
+          git config --global --add safe.directory '/__w/TransferBench/TransferBench'
 
-    - name: Install dependencies
-      run: |
-        apt-get update
-        apt-get install -y build-essential cmake libnuma-dev
+      - name: Install dependencies
+        run: |
+          apt-get update
+          apt-get install -y build-essential cmake libnuma-dev
 
-    - name: Initialize CodeQL
-      uses: github/codeql-action/init@v3
-      with:
-        languages: c-cpp
-        build-mode: manual
-        queries: security-extended
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: c-cpp
+          build-mode: manual
+          queries: security-extended
 
-    - name: Build TransferBench
-      run: |
-        mkdir -p build
-        cd build
-        cmake .. -DCMAKE_BUILD_TYPE=Release \
-                 -DBUILD_LOCAL_GPU_TARGET_ONLY=ON \
-                 -DENABLE_NIC_EXEC=OFF \
-                 -DENABLE_MPI_COMM=OFF \
-                 -DCMAKE_PREFIX_PATH=/opt/rocm
-        make -j $(nproc)
+      - name: Build TransferBench
+        run: |
+          mkdir -p build
+          cd build
+          cmake .. -DCMAKE_BUILD_TYPE=Release \
+                   -DBUILD_LOCAL_GPU_TARGET_ONLY=ON \
+                   -DENABLE_NIC_EXEC=OFF \
+                   -DENABLE_MPI_COMM=OFF \
+                   -DCMAKE_PREFIX_PATH=/opt/rocm
+          make -j $(nproc)
 
-    - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v3
-      with:
-        category: "/language:c-cpp"
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v3
+        with:
+          category: "/language:c-cpp"

From 2c44bc4325168b0ecf8c3d770f28c92847471c1e Mon Sep 17 00:00:00 2001
From: Arm Patinyasakdikul <apatinya@amd.com>
Date: Fri, 24 Apr 2026 16:26:02 -0400
Subject: [PATCH 5/5] ci: address Copilot review feedback on CodeQL workflow

- Add -y flag to apt-add-repository to avoid interactive prompts
- Replace safe.directory wildcard with GITHUB_WORKSPACE for minimal permissions

Rationale:
1. Interactive prompts can hang CI jobs waiting for user input
2. Using '*' for safe.directory is unnecessarily permissive; GITHUB_WORKSPACE
   provides sufficient access while maintaining defense-in-depth

Note: Container image intentionally remains unpinned per maintainer preference
---
 .github/workflows/codeql.yml | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 3d86c775..6d3ba2f9 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -31,7 +31,7 @@ jobs:
         run: |
           apt update
           apt install -y software-properties-common
-          apt-add-repository ppa:git-core/ppa
+          apt-add-repository -y ppa:git-core/ppa
           apt-get update
           apt install -y git
 
@@ -40,8 +40,7 @@ jobs:
 
       - name: Configure Git Safe Directory
         run: |
-          git config --global --add safe.directory '*'
-          git config --global --add safe.directory '/__w/TransferBench/TransferBench'
+          git config --global --add safe.directory "${GITHUB_WORKSPACE}"
 
       - name: Install dependencies
         run: |