Add callable workflow

This moves all the remaining logic into this repository where it can
be more easily iterated on.

Author: rneatherway

.github/workflows/codeql-query.yml

@@ -0,0 +1,67 @@
+name: CodeQL query
+
+on:
+  workflow_call:
+    secrets:
+      ACTIONS_STEP_DEBUG:
+        description: step debug
+
+jobs:
+  run-query:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        repoIds: ${{ fromJSON(github.event.inputs.repoIdChunks) }}
+
+    steps:
+      # Use ::add::mask for all tokens.
+      # Theoretically we'll only output a subset of the tokens. Unless it causes a
+      # performance issue, we may as well mask all tokens to be extra safe.
+      # Note that masking does not persist to other/future jobs in the same workflow.
+      - name: Mask tokens
+        run: |
+          jq .inputs.repositories "$GITHUB_EVENT_PATH" --raw-output | \
+            jq '[.[].token , .[].pat] | map( select( . != null ) ) | .[]' --raw-output | \
+            xargs -I {} echo "::add-mask::{}"
+
+      # Extract the subset of the repositories input that we'll be analysing for this
+      # job, using the repoIds matrix input.
+      - name: Compute subset of repos
+        id: repos
+        shell: node {0}
+        run: |
+          const allRepos = ${{ github.event.inputs.repositories }};
+          const repoIds = new Set(${{ toJSON(matrix.repoIds) }});
+          const repositories = allRepos.filter(r => repoIds.has(r.id));
+          console.log(`::set-output name=repositories::${JSON.stringify(repositories)}`);
+
+      # This might not be the cleanest way to get hold of CodeQL but it's reliable
+      # and widely used. The ugly part is that is initialises a database of the
+      # given language that we just ignore.
+      - name: Initialize CodeQL
+        id: init
+        uses: github/codeql-action/init@v1
+        with:
+          languages: ${{ github.event.inputs.language }}
+
+      - name: Run query
+        uses: dsp-testing/qc-run2/query@rneatherway/usable
+        with:
+          query: ${{ github.event.inputs.query }}
+          language: ${{ github.event.inputs.language }}
+          repositories: ${{ steps.repos.outputs.repositories }}
+          codeql: ${{ steps.init.outputs.codeql-path }}
+
+  combine-results:
+    runs-on: ubuntu-latest
+    needs:
+      - run-query
+
+    steps:
+      - name: Combine results
+        uses: dsp-testing/qc-run2/combine-results@rneatherway/usable
+        with:
+          query: ${{ github.event.inputs.query }}
+          language: ${{ github.event.inputs.language }}
+          token: ${{ github.token }}

.github/workflows/tmp.yml

@@ -0,0 +1,27 @@
+name: CodeQL query
+
+on:
+  workflow_dispatch:
+    inputs:
+      query:
+        description: "Text of CodeQL query to run."
+        required: true
+
+      language:
+        description: "Language of CodeQL query"
+        required: true
+
+      # Handle this input very carefully as it contains sensitive data such as the authentication tokens!
+      repositories:
+        description: "Repositories to run the query against. A JSON encoded array of the form {id: number, nwo: string, token: string}[]"
+        required: true
+
+      repoIdChunks:
+        description: "Array of arrays of repository ids. Each of the inner arrays will be processed in a separate job"
+        required: true
+
+jobs:
+  top:
+    uses: dsp-testing/qc-run2/.github/workflows/codeql-query.yml@rneatherway/usable
+    secrets:
+      ACTIONS_STEP_DEBUG: ${{ secrets.ACTIONS_STEP_DEBUG }}