Add support for CodeQL and Sonarcloud for enhanced repo security

[stan-dot]

https://github.com/apps/sonarcloud

https://codeql.github.com/

see the repo for reference
DiamondLightSource/i18-bluesky#20

There is a DLS precedent for the use of codeql in the python-murfey repo

UPDATE: this had also been tested in the i18-bluesky repository

[coretl]

Before working on a PR to put this into copier, please try it for a reasonable period in other repos, then report back if it gives any useful results. My experience with these tools is that they make more noise than useful alerts, so I'd like to see if they have improved.

[stan-dot]

that's very reasonable.

arguably this should be an existing repo, not a new one.

@coretl , @callumforrester do you have a repo candidate? maybe blueapi ?

[DiamondJoseph]

Be nice to prove we have it configured right on i22-bluesky, since right now the security tab isn't really giving much information.

[callumforrester]

Yep, happy to see this added to blueapi

[stan-dot]

will revisit this once those repos are tested for 3 months - setting this for 19.11.2024

[stan-dot]

considering testing for 3 months months in more repos.
gitlab maybe - https://gitlab.diamond.ac.uk/scisoft/beamlines/i20/gda-zocalo-connector

and also potentially the bluesky repos https://github.com/bluesky/bluesky/
and ophyd-async

https://github.com/bluesky/ophyd-async

@coretl thoughts?

[DiamondJoseph]

@stan-dot if you're looking for a gitlab repo to try on, the NeXus service would be OK. It'll be a different setup (and Java), and I don't think we're using the copier-template for gitlab atm?

[callumforrester]

The copier template explicitly no longer supports Gitlab AFAIK

[coretl]

Feel free to add it to ophyd-async. Ignore gitlab for now.

[stan-dot]

ok will do, can I make a PR to bluesky too? and dodal?

[callumforrester]

I think doing it for an external repo is a different question