Create codeql-analysis.yml

[afrittoli]

Changes

Enable the standard codeql analysis from GitHub.
This runs as a GitHub action. The configuration is the vanilla one proposed by GitHub.

/kind misc

Submitter Checklist

As the author of this PR, please check off the items in this checklist:

• [-] Docs included if any changes are user facing
• [-] Tests included if any functionality added or changed
• Follows the commit message standard
• Meets the Tekton contributor standards (including
  functionality, content, code)
• Release notes block below has been filled in or deleted (only if no user facing changes)

Release Notes

NONE

[afrittoli]

/test pull-tekton-pipeline-alpha-integration-tests

[afrittoli]

@vdemeester @dibyom @bobcatfish This didn't find any issue - only a couple in test code which I dismissed as not relevant.
What do you think about keeping this action around i.e. merge the PR?

[dlorenc]

What do you think about keeping this action around i.e. merge the PR?

Just my 2c - I've never seen this find a relevant issue. It takes a long time and it's only ever noticed 2-3 things for me that weren't valid. I think codeql is better in native non-memory safe code. It's not really that annoying since false positives are rare, but any findings at all are very rare.

[vdemeester]

It doesn't take more time than any of our current jobs, so.. I am fine having it there.

[tekton-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: vdemeester

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [vdemeester]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[abayer]

/lgtm