From 0e536787b2eba6ff1514d11ab90edf6e6ffd1631 Mon Sep 17 00:00:00 2001
From: Daniel Farrell <dfarrell@redhat.com>
Date: Thu, 1 Sep 2022 12:48:55 -0400
Subject: [PATCH 1/3] Revert "Wrapped error is always nil"

This reverts commit 9d9cea166f2f6e405f7ccb5e8f5865cf9a9b534c.
---
 pkg/submariner/scc/ensure.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkg/submariner/scc/ensure.go b/pkg/submariner/scc/ensure.go
index b31b68356..0275406b3 100644
--- a/pkg/submariner/scc/ensure.go
+++ b/pkg/submariner/scc/ensure.go
@@ -65,5 +65,5 @@ func Ensure(dynClient dynamic.Interface, namespace string) (bool, error) {
 		updateScc = updateScc || result
 	}
 
-	return updateScc, nil
+	return updateScc, errors.Wrap(err, "error updating the SCC resource")
 }

From ce5d0f8740cbb79994659d364680a4a5f593c48d Mon Sep 17 00:00:00 2001
From: Daniel Farrell <dfarrell@redhat.com>
Date: Tue, 30 Aug 2022 17:43:04 -0400
Subject: [PATCH 2/3] Add CodeQL variant analysis scanning

This is a different type of static analysis than others we run.

It identified new issues (already fixed) that our other tools missed.

The company that built it was bought by GitHub and the tool is being
integrated into GitHub's security workflow.

Add one unprivileged version of the job to gate PRs and one privileged
version on-merge to report results.

Relates-to: submariner-io/submariner#1970
Signed-off-by: Daniel Farrell <dfarrell@redhat.com>
---
 .github/workflows/linting.yml | 18 ++++++++++++++++++
 .github/workflows/report.yml  | 20 ++++++++++++++++++++
 2 files changed, 38 insertions(+)

diff --git a/.github/workflows/linting.yml b/.github/workflows/linting.yml
index f435c1cf1..ce3da6f33 100644
--- a/.github/workflows/linting.yml
+++ b/.github/workflows/linting.yml
@@ -105,6 +105,24 @@ jobs:
       - name: Run packagedoc-lint
         run: make packagedoc-lint
 
+  variant-analysis:
+    name: Variant Analysis
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out the repository
+        uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@2ca79b6fa8d3ec278944088b4aa5f46912db5d63
+        with:
+          languages: go
+      - name: Build code, creating CodeQL database
+        run: make build
+      - name: Run CodeQL variant analysis
+        uses: github/codeql-action/analyze@2ca79b6fa8d3ec278944088b4aa5f46912db5d63
+      - name: Show CodeQL scan SARIF report
+        if: always()
+        run: cat ../results/go.sarif
+
   vulnerability-scan:
     name: Vulnerability Scanning
     runs-on: ubuntu-latest
diff --git a/.github/workflows/report.yml b/.github/workflows/report.yml
index 82ed56a2a..ddd4a57fe 100644
--- a/.github/workflows/report.yml
+++ b/.github/workflows/report.yml
@@ -10,6 +10,26 @@ on:
 permissions: {}
 
 jobs:
+  variant-analysis:
+    name: Variant Analysis
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+    steps:
+      - name: Check out the repository
+        uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@2ca79b6fa8d3ec278944088b4aa5f46912db5d63
+        with:
+          languages: go
+      - name: Build code, creating CodeQL database
+        run: make build
+      - name: Run CodeQL variant analysis
+        uses: github/codeql-action/analyze@2ca79b6fa8d3ec278944088b4aa5f46912db5d63
+      - name: Show CodeQL scan SARIF report
+        if: always()
+        run: cat ../results/go.sarif
+
   vulnerability-scan:
     name: Vulnerability Scanning
     if: github.repository_owner == 'submariner-io'

From d8a9993f0197a88061b41b4bac7ebaeb95e08720 Mon Sep 17 00:00:00 2001
From: Daniel Farrell <dfarrell@redhat.com>
Date: Thu, 1 Sep 2022 13:22:15 -0400
Subject: [PATCH 3/3] Test removing CodeQL manaul build step

Signed-off-by: Daniel Farrell <dfarrell@redhat.com>
---
 .github/workflows/linting.yml | 2 --
 .github/workflows/report.yml  | 2 --
 2 files changed, 4 deletions(-)

diff --git a/.github/workflows/linting.yml b/.github/workflows/linting.yml
index ce3da6f33..34d8f4732 100644
--- a/.github/workflows/linting.yml
+++ b/.github/workflows/linting.yml
@@ -115,8 +115,6 @@ jobs:
         uses: github/codeql-action/init@2ca79b6fa8d3ec278944088b4aa5f46912db5d63
         with:
           languages: go
-      - name: Build code, creating CodeQL database
-        run: make build
       - name: Run CodeQL variant analysis
         uses: github/codeql-action/analyze@2ca79b6fa8d3ec278944088b4aa5f46912db5d63
       - name: Show CodeQL scan SARIF report
diff --git a/.github/workflows/report.yml b/.github/workflows/report.yml
index ddd4a57fe..d013f33fd 100644
--- a/.github/workflows/report.yml
+++ b/.github/workflows/report.yml
@@ -22,8 +22,6 @@ jobs:
         uses: github/codeql-action/init@2ca79b6fa8d3ec278944088b4aa5f46912db5d63
         with:
           languages: go
-      - name: Build code, creating CodeQL database
-        run: make build
       - name: Run CodeQL variant analysis
         uses: github/codeql-action/analyze@2ca79b6fa8d3ec278944088b4aa5f46912db5d63
       - name: Show CodeQL scan SARIF report