CI: Integrate coretrace-stack-analyzer into GitHub Actions (SARIF + Code Scanning)

### Context

We want to run coretrace-stack-analyzer automatically in CI to detect stack-related issues in our C/C++ codebase and publish results in GitHub using SARIF (Security → Code scanning). We also want to keep the SARIF file as a downloadable artifact for debugging and traceability.

### Goals
	•	Run coretrace-stack-analyzer on:
	•	pull_request (required)
	•	push to main (recommended)
	•	Generate a SARIF report at: reports/coretrace-stack-analyzer.sarif
	•	Upload SARIF to GitHub Code Scanning
	•	Upload SARIF as a workflow artifact (always, even on failure)
	•	Make the workflow deterministic (pinned versions / reproducible environment)

### Non-Goals
	•	PR commenting bot / annotations (separate follow-up)
	•	External dashboards or storage outside GitHub

### Assumptions / Constraints
	•	Primary target: ubuntu-latest (extend to macOS/windows later if needed)
	•	The analyzer either:
	•	consumes a compile_commands.json, or
	•	can analyze directly from repo root with a CLI target selection
	•	SARIF output is SARIF 2.1.0 compatible with GitHub Code Scanning

### Proposed Implementation

Add a workflow: .github/workflows/coretrace-stack-analyzer.yml

### High-level Steps
	1.	Checkout repository
	2.	Install dependencies (toolchain, cmake/ninja, clang/llvm if needed)
	3.	Build/install coretrace-stack-analyzer (or download a pinned release binary)
	4.	(Optional) Generate compile_commands.json if required
	5.	Run analyzer → write SARIF to reports/coretrace-stack-analyzer.sarif
	6.	Upload SARIF to Code Scanning (github/codeql-action/upload-sarif@v3)
	7.	Upload reports/ as an artifact (actions/upload-artifact@v4) with if: always()

### Acceptance Criteria
	•	Workflow triggers on PRs and pushes to main
	•	reports/coretrace-stack-analyzer.sarif is generated on CI
	•	Results appear in Security → Code scanning
	•	SARIF is uploaded as an artifact even if analyzer returns non-zero (if: always())
	•	Paths in SARIF are stable across runs (no duplicated alerts due to path changes)
	•	Tool version and/or toolchain is pinned (no “floating latest”)
	•	Minimal documentation added (how to run locally + what CI does)

### Tasks
	•	Add .github/workflows/coretrace-stack-analyzer.yml
	•	(Optional) Add wrapper script scripts/ci/run-coretrace-stack-analyzer.sh
	•	Standardize report location: reports/coretrace-stack-analyzer.sarif
	•	Add SARIF upload step with proper permissions
	•	Add artifact upload step (if: always())
	•	Add README section: “CI: coretrace-stack-analyzer”

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CI: Integrate coretrace-stack-analyzer into GitHub Actions (SARIF + Code Scanning) #46

Context

Goals

Non-Goals

Assumptions / Constraints

Proposed Implementation

High-level Steps

Acceptance Criteria

Tasks

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

CI: Integrate coretrace-stack-analyzer into GitHub Actions (SARIF + Code Scanning) #46

Description

Context

Goals

Non-Goals

Assumptions / Constraints

Proposed Implementation

High-level Steps

Acceptance Criteria

Tasks

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions