Revise nightly test & scan workflows (quantumlib#1015)

This updates the workflows to the latest version from our template repo.
It should fix the current failure with Scorecard, as well as streamline
the CodeQL runs.

Author: mhucka

.github/workflows/codeql.yaml

@@ -1,46 +1,89 @@
-# Summary: configuration for CodeQL.
+# Zero-configuration modular workflow to run CodeQL code scans.
+#
+# CodeQL is a semantic code analysis tool that finds vulnerabilities by
+# understanding the code's logic. It is provided by GitHub. CodeQL's findings
+# are reported in the repo's code-scanning results page,
+# https://github.com/quantumlib/REPO/security/code-scanning/.
 # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 name: CodeQL code scan
-run-name: Do ${{inputs.reason}} CodeQL code scan
+run-name: Run CodeQL code scan ${{inputs.reason}}
 
 on:
+  pull_request:
+    types: [opened, synchronize]
+    branches:
+      - main
+      - master
+
+  # Support merge queues.
+  merge_group:
+    types:
+      - checks_requested
+
+  # Allow manual invocation.
+  workflow_dispatch:
+
   # Allow calling from nightly.yaml.
   workflow_call:
     inputs:
-      # Why is this workflow being called?
       reason:
         type: string
-        required: false
-
-  # Allow manual invocation.
-  workflow_dispatch:
 
 # Declare default permissions as read only.
 permissions: read-all
 
-# Cancel any previously-started but still active runs on the same branch.
-concurrency:
-  cancel-in-progress: true
-  group: ${{github.workflow}}-${{github.event.pull_request.number||github.ref}}
-
 jobs:
+  create-matrix:
+    name: Determine languages used
+    runs-on: ubuntu-24.04
+    timeout-minutes: 5
+    outputs:
+      language-matrix: ${{steps.matrix.outputs.languages}}
+    steps:
+      - name: Get list of programming languages used in this repo
+        id: matrix
+        uses: advanced-security/set-codeql-language-matrix@975244ea2e4c0668b8d289ac2b61fa7f0976f328
+        with:
+          access-token: ${{secrets.GITHUB_TOKEN}}
+          endpoint: ${{github.event.repository.languages_url}}
+
   codeql:
-    name: Run
+    if: ${{needs.create-matrix.outputs.language-matrix != '[]'}}
+    name: Run CodeQL scanner for ${{matrix.language}}
+    needs: create-matrix
     runs-on: ubuntu-24.04
+    timeout-minutes: 10
     permissions:
-      security-events: write
+      actions: read
+      contents: read
       packages: read
+      security-events: write
+    strategy:
+      fail-fast: false
+      matrix:
+        language: ${{fromJSON(needs.create-matrix.outputs.language-matrix)}}
     steps:
       - name: Check out a copy of the git repository
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
-      - name: Initialize CodeQL
-        uses: github/codeql-action/init@6bb031afdd8eb862ea3fc1848194185e076637e5 # v3
+      - name: Initialize CodeQL scanning tool
+        uses: github/codeql-action/init@b56ba49b26e50535fa1e7f7db0f4f7b4bf65d80d # v3
         with:
-          languages: Python
+          languages: ${{matrix.language}}
+          queries: security-and-quality
+          config: |
+            paths-ignore:
+              - '**/*.gltf'
+              - '**/*.json'
+              - '**/*.md'
+              - '**/*.png'
+              - '**/*.rst'
+              - '**/*.svg'
+              - '**/*.stim'
+              - '**/*.txt'
 
       - name: Perform CodeQL Analysis
         uses: github/codeql-action/analyze@6bb031afdd8eb862ea3fc1848194185e076637e5 # v3
         with:
-          category: '/language:Python'
+          category: "/language:${{matrix.language}}"

.github/workflows/nightly-pytest.yaml

@@ -2,8 +2,8 @@
 # This workflow expects input values passed by nightly.yml.
 # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-name: Nightly full tests – Pytest matrix
-run-name: Run ${{inputs.reason}} Pytest full tests
+name: 'Nightly tests & scans – Pytest matrix'
+run-name: Run nightly Pytest
 
 on:
   workflow_call:

.github/workflows/nightly.yaml

@@ -5,8 +5,8 @@
 # https://github.com/quantumlib/OpenFermion/actions/workflows/nightly.yaml
 # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-name: Nightly full tests
-run-name: Run nightly tests and code scans in ${{github.repository}}
+name: 'Nightly tests & scans'
+run-name: Run nightly tests and code scans
 
 on:
   schedule:
@@ -20,36 +20,37 @@ permissions: read-all
 
 jobs:
   cirq-stable:
-    name: Pytest Cirq stable release
+    name: Nightly Pytest Cirq stable
     uses: ./.github/workflows/nightly-pytest.yaml
     with:
       args: ''
-      reason: nightly
+      reason: '(nightly)'
 
   cirq-pre:
-    name: Pytest Cirq pre-release
+    name: Nightly Pytest Cirq pre-release
     uses: ./.github/workflows/nightly-pytest.yaml
     with:
       args: '--pre'
-      reason: nightly
+      reason: '(nightly)'
 
   codeql:
-    name: CodeQL code scan
+    name: Nightly CodeQL code scan
     uses: ./.github/workflows/codeql.yaml
     permissions: write-all
     with:
-      reason: nightly
+      reason: '(nightly)'
 
-  scorecard:
-    name: Scorecard code scan
-    uses: ./.github/workflows/scorecard.yaml
+  osv:
+    name: Nightly OSV code scan
+    uses: ./.github/workflows/osv-scanner.yaml
     permissions: write-all
     with:
-      reason: nightly
+      reason: '(nightly)'
 
-  osv:
-    name: OSV code scan
-    uses: ./.github/workflows/osv-scanner.yaml
+  scorecard:
+    name: Nightly Scorecard analysis
+    uses: ./.github/workflows/scorecard.yaml
     permissions: write-all
+    secrets: inherit
     with:
-      reason: nightly
+      reason: '(nightly)'

.github/workflows/osv-scanner.yaml

@@ -1,79 +1,118 @@
-# Summary: run Open Source Vulnerabilities (OSV) code scan.
+# Zero-config modular workflow to run Open Source Vulnerabilities code scans.
+#
+# The OSV scanner is a dependency vulnerability scanner that identifies known
+# vulnerabilities in a project's dependencies. It supports C/C++, Python, Java,
+# JavaScript, and others. The findings are reported in the repo's code-scanning
+# results page, https://github.com/quantumlib/REPO/security/code-scanning/.
 #
 # The OSV project provides a GA workflow that you can reference as a step with
-# "uses: google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml".
-# Unfortunately, that workflow inexplicably doesn't use the latest version of
-# the scanner and reporter workflows, and also does other things like hard-code
-# the value of the osv-scanner "--gh-annotations" option to "false". Using the
-# separate actions directly allows us to adjust the options and use Dependabot
-# to update the workflow versions as new ones are introduced.
+# uses: google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml.
+# Unfortunately, that workflow hardcodes some behaviors (such as uploading the
+# SARIF file to the workflow Actions tab, which we rarely need). The workflow
+# below is basically a heavily modified version of theirs.
 #
-# For more examples and options, including how to ignore specific
+# For more OSV scanner examples and options, including how to ignore specific
 # vulnerabilities, see https://google.github.io/osv-scanner/github-action/.
 # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 name: OSV code scan
-run-name: Do ${{inputs.reason}} OSV code scan
+run-name: Run OSV vulnerability scanner ${{inputs.reason}}
 
 on:
+  pull_request:
+    types: [opened, synchronize]
+    branches:
+      - main
+      - master
+
+  # Support merge queues.
   merge_group:
     types:
       - checks_requested
 
+  # Allow manual invocation.
+  workflow_dispatch:
+
   # Allow calling from nightly.yaml.
   workflow_call:
     inputs:
-      # Why is this workflow being called?
       reason:
         type: string
-        required: false
-
-  # Allow manual invocation.
-  workflow_dispatch:
 
 # Declare default permissions as read only.
 permissions: read-all
 
 jobs:
   osv-scan:
-    name: Run
-    runs-on: ubuntu-22.04
+    name: Run OSV scanner
+    runs-on: ubuntu-24.04
     timeout-minutes: 15
     permissions:
-      # Needed to upload the results to code-scanning dashboard.
+      # Needed to read commit contents:
+      actions: read
+      # Needed to upload the results to code-scanning dashboard:
       security-events: write
-      # Read commit contents
+      # Needed to upload SARIF file to CodeQL.
       contents: read
-      actions: read
     steps:
       - name: Check out a copy of the git repository
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
-          persist-credentials: false
+          fetch-depth: 0
+
+      - name: Check out the target branch
+        run: |
+          git checkout ${{github.base_ref || github.ref_name}}
+          git submodule update --recursive
+
+      - name: Run OSV scanner on existing code
+        # yamllint disable rule:line-length
+        uses: google/osv-scanner-action/osv-scanner-action@119c605e0e6e6c491e092da25b0c752d109b0b43 # v2.0.0
+        continue-on-error: true
+        with:
+          scan-args: |-
+            --format=json
+            --output=old-results.json
+            --include-git-root
+            --recursive
+            ./
+
+      - name: Check out current branch
+        # Use -f in case any changes were made by osv-scanner.
+        run: |
+          git checkout -f "$GITHUB_SHA"
+          git submodule update --recursive
 
-      - name: Run OSV scanner
+      - name: Run OSV scanner on new code
         # yamllint disable rule:line-length
-        uses: google/osv-scanner-action/osv-scanner-action@90fad544eb4036129491f76db3161ffdc2956748 # v1.9.2
+        uses: google/osv-scanner-action/osv-scanner-action@119c605e0e6e6c491e092da25b0c752d109b0b43 # v2.0.0
         continue-on-error: true
         with:
           scan-args: |-
-            --config=.osv-scanner.toml
             --format=json
-            --output=osv-results.json
+            --output=new-results.json
+            --include-git-root
             --recursive
             ./
 
-      - name: Run OSV reporter
+      - name: Run the OSV scanner reporter
         # yamllint disable rule:line-length
-        uses: google/osv-scanner-action/osv-reporter-action@90fad544eb4036129491f76db3161ffdc2956748 # v1.9.2
+        uses: google/osv-scanner-action/osv-reporter-action@119c605e0e6e6c491e092da25b0c752d109b0b43 # v2.0.0
         with:
           scan-args: |-
             --output=osv-results.sarif
-            --new=osv-results.json
+            --old=old-results.json
+            --new=new-results.json
             --gh-annotations=true
             --fail-on-vuln=true
 
-      - name: Upload to code-scanning dashboard
-        uses: github/codeql-action/upload-sarif@6bb031afdd8eb862ea3fc1848194185e076637e5 # v3.28.11
+      - name: Upload results to the repository's code-scanning results dashboard
+        id: upload_artifact
+        # yamllint disable rule:line-length
+        uses: github/codeql-action/upload-sarif@b56ba49b26e50535fa1e7f7db0f4f7b4bf65d80d # v3.28.10
         with:
           sarif_file: osv-results.sarif
+
+      - name: Error troubleshooter
+        if: ${{always() && steps.upload_artifact.outcome == 'failure'}}
+        run: echo '::error::Artifact upload failed. Check the workflow logs.'