fix(codeql): move clang bundle to $RUNNER_TEMP to eliminate libc++ false positives

[Copilot]

Code scanning alert #1881 (cpp/new-free-mismatch) kept reappearing at bin/clang18.1.8/include/c++/v1/vector despite five previous suppression attempts — because the clang+llvm bundle was unpacked inside $GITHUB_WORKSPACE, causing CodeQL to treat bundled libc++ headers as project source rather than system headers.

Root cause

The CodeQL C++ extractor classifies headers as system headers only when they live outside the source root. With the bundle at bin/clang18.1.8/ (inside $GITHUB_WORKSPACE), every paths-ignore glob, CODEQL_EXTRACTOR_CPP_OPTION_EXCLUDE_HEADER_PATTERNS, and CODEQL_EXTRACTOR_CPP_WIP_IGNORE_SYSTEM_HEADERS trick was fighting a losing battle — CodeQL never agreed those headers were system headers to begin with.

Changes

• Both CodeQL workflows (codeql-push.yml, codeql-daily.yml):

  • Unpack the clang bundle into ${RUNNER_TEMP}/clang18.1.8 instead of bin/clang18.1.8
  • Update BAZEL_LLVM_PATH accordingly
  • Remove the now-unnecessary CODEQL_EXTRACTOR_CPP_OPTION_EXCLUDE_HEADER_PATTERNS and CODEQL_EXTRACTOR_CPP_WIP_IGNORE_SYSTEM_HEADERS env vars
  • Remove config-file: references to the deleted config
  • Add a comment at the mkdir site explaining the $RUNNER_TEMP constraint (with alert reference) so no one "tidies" it back into the checkout

• .github/codeql/codeql-config.yml: deleted — the paths-ignore: '**/include/c++/v1/**' entry it contained is redundant once the bundle is outside the source root; a stub config file is more confusing than nothing

No CodeQL queries are weakened — cpp/new-free-mismatch and all other checks remain fully active against Envoy source code. This removes a misclassification, not a check.

Supersedes workarounds from #44609, #44767, #44768.

Original prompt

Background

Code scanning alert #1881 (cpp/new-free-mismatch, severity High) keeps reappearing with primary location:

bin/clang18.1.8/include/c++/v1/vector:492

There have been five previous attempts to silence/work-around this, none of which fixed the root cause:

PR	What it tried	Why it failed
#44600 / #44609	paths-ignore: '**/include/c++/v1/**' in .github/codeql/codeql-config.yml	paths-ignore has known weak semantics for compiled C/C++ — it filters which TUs are extracted as roots, not which files alerts can land in. Headers pulled in transitively from Envoy TUs still produce alerts.
#44767	CODEQL_EXTRACTOR_CPP_OPTION_EXCLUDE_HEADER_PATTERNS=bin/clang.*/.*	Excludes from extraction only; dataflow alerts are computed from Envoy TUs and the libc++ location remains valid as the alert primary location.
#44768	CODEQL_EXTRACTOR_CPP_WIP_IGNORE_SYSTEM_HEADERS=true	Undocumented WIP env var. Doesn't help because CodeQL does not classify these headers as system headers — see root cause below.
#44466	Fixed an unrelated genuine new/delete mismatch in aws/signing	Different code, not what alert #1881 points at.
#44769 / #44771	Scorecard SAST plumbing	Unrelated.

Root cause

Both .github/workflows/codeql-push.yml and .github/workflows/codeql-daily.yml unpack the prebuilt clang+llvm 18.1.8 bundle into the checkout directory:

mkdir -p bin/clang18.1.8
cd bin/clang18.1.8
wget -q https://github.com/llvm/llvm-project/releases/download/llvmorg-18.1.8/clang+llvm-18.1.8-x86_64-linux-gnu-ubuntu-18.04.tar.xz
tar -xf clang+llvm-18.1.8-x86_64-linux-gnu-ubuntu-18.04.tar.xz --strip-components 1
...
--repo_env=BAZEL_LLVM_PATH="$(realpath bin/clang18.1.8)"

bin/clang18.1.8/ lives inside $GITHUB_WORKSPACE (the checkout root). The CodeQL C++ extractor classifies a header as a system header — and excludes alerts in it by default — based on whether it lives outside the source root. Anything under $GITHUB_WORKSPACE is treated as project source. That is why every "ignore libc++" attempt has been a losing battle: from CodeQL's point of view, bin/clang18.1.8/include/c++/v1/vector is just as much "Envoy source" as source/common/http/conn_manager_impl.cc.

Started when CodeQL began successfully extracting TUs that pull in <vector> (i.e. when the CodeQL build was fixed). Before then extraction was partial and these TUs were never reached.

Fix

Unpack the clang bundle outside $GITHUB_WORKSPACE, in $RUNNER_TEMP. CodeQL will then treat the bundled libc++ headers as system headers, exactly as it would /usr/include/c++/13/vector on a normal Linux build. No config knobs, no undocumented env vars, no paths-ignore glob required. The cpp/new-free-mismatch query (and all other queries) remain fully active across Envoy's own code.

Required changes

1. .github/workflows/codeql-push.yml

• In the Install deps step, replace mkdir -p bin/clang18.1.8 / cd bin/clang18.1.8 with mkdir -p "${RUNNER_TEMP}/clang18.1.8" / cd "${RUNNER_TEMP}/clang18.1.8".
• In the Build step, change --repo_env=BAZEL_LLVM_PATH="$(realpath bin/clang18.1.8)" to --repo_env=BAZEL_LLVM_PATH="${RUNNER_TEMP}/clang18.1.8".
• Remove the env: block on the Initialize CodeQL step that sets CODEQL_EXTRACTOR_CPP_OPTION_EXCLUDE_HEADER_PATTERNS and CODEQL_EXTRACTOR_CPP_WIP_IGNORE_SYSTEM_HEADERS. They are no longer needed.
• Add a short comment near the mkdir/tar lines explaining why the bundle must live outside $GITHUB_WORKSPACE (so a future contributor doesn't "tidy" it back into the checkout). Reference alert ssl: update BoringSSL to ae9f0616 (3202). #1881.
• The Clean Artifacts step's git clean -xdf previously also removed the in-tree bin/clang18.1.8/. Confirm this is still fine (it is — the bundle is now in $RUNNER_TEMP, which the runner cleans up itself).

2. .github/workflows/codeql-daily.yml

Apply exactly the same three edits (mkdir/cd path, BAZEL_LLVM_PATH, drop the env vars).

3. .github/codeql/codeql-config.yml

The paths-ignore: '**/include/c++/v1/**' entry is no longer needed. Either:

• Remove the file entirely and drop the config-file: ./.github/codeql/codeql-config.yml line from both workflows' Initialize CodeQL step; or
• Keep the file with just name: and a comment block explaining that with the toolchain in $RUNNER_TEMP no exclusions are required, and leaving the file in place avoids workflow churn if exclusions are ever needed again.

Pick whichever is cleaner — I lean towards removing both the file and the config-file: references since there is now nothing to configure and a stub config file is more confusing than helpful.

4. Inline comments

Update the comment block currently in codeql-config.yml (which describes the old workaround) so its replacement — wherever it ends up — explains the actual constraint:

The c...

This pull request was created from Copilot chat.

[repokitteh-read-only]

As a reminder, PRs marked as draft will not be automatically assigned reviewers,
or be handled by maintainer-oncall triage.

Please mark your PR as ready when you want it to be reviewed!

🐱

Caused by: #44804 was opened by Copilot.

see: more, trace.