1 files changed, 59 insertions, 0 deletions

diff --git a/.github/workflows/meshmc-codeql.yml b/.github/workflows/meshmc-codeql.yml
new file mode 100644
index 0000000000..6dd764849a
--- /dev/null
+++ b/.github/workflows/meshmc-codeql.yml
@@ -0,0 +1,59 @@
+name: "MeshMC: CodeQL"
+
+concurrency:
+  group: meshmc-codeql-${{ github.ref }}
+  cancel-in-progress: true
+
+on:
+  merge_group:
+    types: [checks_requested]
+  pull_request:
+    paths:
+      - 'meshmc/**'
+      - '.github/workflows/meshmc-codeql.yml'
+  workflow_dispatch:
+
+permissions: {}
+
+jobs:
+  CodeQL:
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+      security-events: write
+
+    defaults:
+      run:
+        working-directory: meshmc
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+        with:
+          submodules: "true"
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v4
+        with:
+          config-file: ./.github/codeql/codeql-config.yml
+          queries: security-and-quality
+          languages: cpp, java
+
+      - name: Setup dependencies
+        uses: ./.github/actions/meshmc/setup-dependencies
+        with:
+          build-type: Debug
+          qt-version: 6.9.3
+
+      - name: Configure and Build
+        run: |
+          cmake --preset linux -DLauncher_USE_PCH=OFF
+          cmake --build --preset linux --config Debug
+
+      - name: Run tests
+        run: |
+          ctest --preset linux --build-config Debug --extra-verbose --output-on-failure
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v4