GHA/codeql: re-enable for C with the default query pack

Earlier we used `security-extended` and tried `security-and-quality`.
Try the default to see how it works.

CodeQL no longer uses the project's Actions cache, also fixing
the previously seen repeat cache entry issue.

- switch to `manual` build. It's 3x faster than the default `autobuild`.
- enable more dependencies to increase coverage.
- docs/tests/CI.md: re-add CodeQL.

Ref: https://docs.github.com/en/code-security/code-scanning/managing-your-code-scanning-configuration/codeql-query-suites
Ref: https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages
Ref: #16263
Ref: 173805b2e7 #15798

Closes #18528

.github/scripts/spellcheck.words

@@ -122,6 +122,7 @@ CMakeLists
 CNA
 CNAME
 CNAMEs
+CodeQL
 CODESET
 codeset
 CodeSonar

.github/workflows/codeql.yml

@@ -59,3 +59,37 @@ jobs:
 
       - name: 'perform analysis'
         uses: github/codeql-action/analyze@192325c86100d080feab897ff886c34abd4c83a3 # v3
+
+  c:
+    name: 'C'
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+    steps:
+      - name: 'install prereqs'
+        timeout-minutes: 5
+        run: |
+          sudo rm -f /etc/apt/sources.list.d/microsoft-prod.list
+          sudo apt-get -o Dpkg::Use-Pty=0 update
+          sudo rm -f /var/lib/man-db/auto-update
+          sudo apt-get -o Dpkg::Use-Pty=0 install libpsl-dev libbrotli-dev libidn2-dev libssh2-1-dev libnghttp2-dev libldap-dev
+
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          persist-credentials: false
+
+      - name: 'initialize'
+        uses: github/codeql-action/init@192325c86100d080feab897ff886c34abd4c83a3 # v3
+        with:
+          languages: cpp
+          build-mode: manual
+
+      - name: 'build'
+        timeout-minutes: 10
+        run: |
+          cmake -B . -G Ninja
+          cmake --build . --verbose
+          src/curl -V
+
+      - name: 'perform analysis'
+        uses: github/codeql-action/analyze@192325c86100d080feab897ff886c34abd4c83a3 # v3

docs/tests/CI.md

@@ -31,8 +31,10 @@ Consider the following table while looking at pull request failures:
 
  | CI platform as shown in PR          | State  | What to look at next       |
  | ----------------------------------- | ------ | -------------------------- |
+ | CI / CodeQL                         | stable | quality check results      |
  | CI / fuzzing                        | stable | fuzzing results            |
  | CI / macos ...                      | stable | all errors and failures    |
+ | Code scanning results / CodeQL      | stable | quality check results      |
  | FreeBSD FreeBSD: ...                | stable | all errors and failures    |
  | LGTM analysis: Python               | stable | new findings               |
  | LGTM analysis:  C/C++               | stable | new findings               |
@@ -40,6 +42,7 @@ Consider the following table while looking at pull request failures:
  | AppVeyor                            | flaky  | all errors and failures    |
  | curl.curl (linux ...)               | stable | all errors and failures    |
  | curl.curl (windows ...)             | flaky  | repetitive errors/failures |
+ | CodeQL                              | stable | new findings               |
 
 Sometimes the tests fail due to a dependency service temporarily being offline
 or otherwise unavailable, for example package downloads. In this case you can
@@ -58,6 +61,7 @@ GitHub Actions runs the following tests:
 - macOS tests with a variety of different compilation options
 - Fuzz tests ([see the curl-fuzzer repo for more
   info](https://github.com/curl/curl-fuzzer)).
+- CodeQL static analysis
 
 These are each configured in different files in `.github/workflows`.