Create codeql.yml#5
Merged
Merged
Conversation
|
You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool. What Enabling Code Scanning Means:
For more information about GitHub Code Scanning, check out the documentation. |
There was a problem hiding this comment.
Pull request overview
Adds a GitHub Actions workflow to run GitHub CodeQL “advanced” code scanning for the repository to improve automated security/code-quality analysis.
Changes:
- Introduces
.github/workflows/codeql.ymlto run CodeQL onpush,pull_request, and a weekly cron schedule. - Configures a language matrix for
java-kotlinandjavascript-typescriptwith per-languagebuild-mode.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+45
to
+49
| include: | ||
| - language: java-kotlin | ||
| build-mode: none # This mode only analyzes Java. Set this to 'autobuild' or 'manual' to analyze Kotlin too. | ||
| - language: javascript-typescript | ||
| build-mode: none |
Comment on lines
+58
to
+80
| steps: | ||
| - name: Checkout repository | ||
| uses: actions/checkout@v4 | ||
|
|
||
| # Add any setup steps before running the `github/codeql-action/init` action. | ||
| # This includes steps like installing compilers or runtimes (`actions/setup-node` | ||
| # or others). This is typically only required for manual builds. | ||
| # - name: Setup runtime (example) | ||
| # uses: actions/setup-example@v1 | ||
|
|
||
| # Initializes the CodeQL tools for scanning. | ||
| - name: Initialize CodeQL | ||
| uses: github/codeql-action/init@v4 | ||
| with: | ||
| languages: ${{ matrix.language }} | ||
| build-mode: ${{ matrix.build-mode }} | ||
| # If you wish to specify custom queries, you can do so here or in a config file. | ||
| # By default, queries listed here will override any specified in a config file. | ||
| # Prefix the list here with "+" to use these queries and those in the config file. | ||
|
|
||
| # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs | ||
| # queries: security-extended,security-and-quality | ||
|
|
Comment on lines
+81
to
+101
| # If the analyze step fails for one of the languages you are analyzing with | ||
| # "We were unable to automatically build your code", modify the matrix above | ||
| # to set the build mode to "manual" for that language. Then modify this step | ||
| # to build your code. | ||
| # ℹ️ Command-line programs to run using the OS shell. | ||
| # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun | ||
| - name: Run manual build steps | ||
| if: matrix.build-mode == 'manual' | ||
| shell: bash | ||
| run: | | ||
| echo 'If you are using a "manual" build mode for one or more of the' \ | ||
| 'languages you are analyzing, replace this with the commands to build' \ | ||
| 'your code, for example:' | ||
| echo ' make bootstrap' | ||
| echo ' make release' | ||
| exit 1 | ||
|
|
||
| - name: Perform CodeQL Analysis | ||
| uses: github/codeql-action/analyze@v4 | ||
| with: | ||
| category: "/language:${{matrix.language}}" |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This pull request introduces a new GitHub Actions workflow for CodeQL analysis, enabling automated security and code quality scanning for the repository. The workflow is configured to run on pushes, pull requests, and on a schedule, and supports multiple languages.
CI/CD and Security Improvements:
.github/workflows/codeql.ymlworkflow that sets up CodeQL analysis forjava-kotlinandjavascript-typescriptlanguages, running on pushes, pull requests, and a weekly schedule. This workflow helps automate security and code quality checks using GitHub's CodeQL tools.