Skip to content

ci(codeql): switch matrix javascript-typescript → actions (no JS source)#45

Merged
hyperpolymath merged 1 commit into
mainfrom
ci/codeql-matrix-actions-not-js
May 30, 2026
Merged

ci(codeql): switch matrix javascript-typescript → actions (no JS source)#45
hyperpolymath merged 1 commit into
mainfrom
ci/codeql-matrix-actions-not-js

Conversation

@hyperpolymath
Copy link
Copy Markdown
Owner

@hyperpolymath hyperpolymath commented May 30, 2026

Summary

.github/workflows/codeql.yml had language: javascript-typescript but this repo contains zero JS/TS source files. CodeQL's analyze job exited "configuration error: no source files" on every run.

Fix

Switch the matrix to language: actions — CodeQL's workflow-scanning lane (inspects .github/workflows/*.yml for injection/leak patterns). Every repo has workflow files, so this lane always has signal.

Estate-wide context

One of 4 zero-JS repos in the 2026-05-30 audit. Hypatia rule WF008 (check_codeql_language_matrix_mismatch) detects the pattern automatically going forward.

🤖 Generated with Claude Code

@hyperpolymath @claude
ci(codeql): switch language matrix javascript-typescript → actions (n…
6cdc399 
…o JS source)

`.github/workflows/codeql.yml` had `language: javascript-typescript` but
this repo contains zero JS/TS/JSX/TSX source files (verified via git
tree scan, excluding vendored/build paths). The CodeQL `analyze` job
therefore exited with "configuration error: no source files" on every
run, blocking Dependabot PRs.

Switch the matrix to `actions` — CodeQL's workflow-scanning lane, which
inspects `.github/workflows/*.yml` for security issues. Every repo has
workflow files, so this lane always has something useful to scan.

Detector: hypatia rule WF008 (`check_codeql_language_matrix_mismatch`)
already fires on this pattern via `has_codeql_supported_language` opts.

Caught by the 2026-05-30 estate CI/CD audit.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@hyperpolymath hyperpolymath merged commit 2f53216 into main May 30, 2026
1 check passed
@hyperpolymath hyperpolymath deleted the ci/codeql-matrix-actions-not-js branch May 30, 2026 18:35
@github-advanced-security
Copy link
Copy Markdown

github-advanced-security AI commented May 31, 2026

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 31, 2026

🔍 Hypatia Security Scan

Findings: 79 issues detected

Severity Count
🔴 Critical 0
🟠 High 32
🟡 Medium 47
View findings 
[
  {
    "reason": "No test directory or test files found",
    "type": "no_tests",
    "file": "/home/runner/work/vcs-ircd/vcs-ircd",
    "action": "flag",
    "rule_module": "honest_completion",
    "severity": "high",
    "deduction": 20
  },
  {
    "reason": "Action perpolymath/standards/.github/workflows/governance-reusable.yml@main\n needs attention",
    "type": "unpinned_action",
    "file": "governance.yml",
    "action": "pin_sha",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in aur-publish.yml",
    "type": "missing_timeout_minutes",
    "file": "aur-publish.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in aur-publish.yml",
    "type": "missing_timeout_minutes",
    "file": "aur-publish.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in codeql.yml",
    "type": "missing_timeout_minutes",
    "file": "codeql.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in container.yml",
    "type": "missing_timeout_minutes",
    "file": "container.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in dependabot-automerge.yml",
    "type": "missing_timeout_minutes",
    "file": "dependabot-automerge.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in generator-generic-ossf-slsa3-publish.yml",
    "type": "missing_timeout_minutes",
    "file": "generator-generic-ossf-slsa3-publish.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in generator-generic-ossf-slsa3-publish.yml",
    "type": "missing_timeout_minutes",
    "file": "generator-generic-ossf-slsa3-publish.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in governance.yml",
    "type": "missing_timeout_minutes",
    "file": "governance.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  }
]

Powered by Hypatia Neurosymbolic CI/CD Intelligence

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@hyperpolymath @github-advanced-security