Conversation
Removed comments and unnecessary steps from CodeQL workflow.
|
You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool. What Enabling Code Scanning Means:
For more information about GitHub Code Scanning, check out the documentation. |
There was a problem hiding this comment.
Pull request overview
Adds a GitHub Actions workflow to run GitHub CodeQL “Advanced” analysis for this repository to surface security findings in the GitHub Security tab.
Changes:
- Introduces a new
.github/workflows/codeql.ymlworkflow. - Configures CodeQL runs on
push/pull_requesttargetingmain, plus a weekly scheduled run. - Sets up a matrix to analyze
actionsandpython.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| - language: actions | ||
| build-mode: none | ||
| - language: python | ||
| build-mode: none |
There was a problem hiding this comment.
The matrix.include list is mis-indented. As written, the - language: entries are at the same indentation level as include: which makes the YAML invalid (or changes the structure) and will prevent the workflow from running. Indent the list items under include:.
| - language: actions | |
| build-mode: none | |
| - language: python | |
| build-mode: none | |
| - language: actions | |
| build-mode: none | |
| - language: python | |
| build-mode: none |
| - name: Checkout repository | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: Initialize CodeQL | ||
| uses: github/codeql-action/init@v4 | ||
| with: | ||
| languages: ${{ matrix.language }} | ||
| build-mode: ${{ matrix.build-mode }} | ||
|
|
||
| - name: Perform CodeQL Analysis | ||
| uses: github/codeql-action/analyze@v4 | ||
| with: | ||
| category: "/language:${{matrix.language}}" |
There was a problem hiding this comment.
The steps list is mis-indented: the - name: entries are aligned with steps: instead of being nested under it. This makes the workflow YAML invalid and will cause the job to fail to parse. Indent each step item under steps:.
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/init@v4 | |
| with: | |
| languages: ${{ matrix.language }} | |
| build-mode: ${{ matrix.build-mode }} | |
| - name: Perform CodeQL Analysis | |
| uses: github/codeql-action/analyze@v4 | |
| with: | |
| category: "/language:${{matrix.language}}" | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/init@v4 | |
| with: | |
| languages: ${{ matrix.language }} | |
| build-mode: ${{ matrix.build-mode }} | |
| - name: Perform CodeQL Analysis | |
| uses: github/codeql-action/analyze@v4 | |
| with: | |
| category: "/language:${{matrix.language}}" |
| name: Analyze (${{ matrix.language }}) | ||
| runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} | ||
| permissions: | ||
| security-events: write |
There was a problem hiding this comment.
The job sets explicit permissions, but it doesn't grant contents: read. If the repo is configured with restricted default token permissions, actions/checkout and CodeQL init may fail. Consider adding contents: read (and optionally actions: read per CodeQL docs) and only keep packages: read if it’s actually needed.
| security-events: write | |
| security-events: write | |
| contents: read | |
| actions: read |
| jobs: | ||
| analyze: | ||
| name: Analyze (${{ matrix.language }}) | ||
| runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} |
There was a problem hiding this comment.
runs-on has a conditional branch for swift, but swift is not part of the matrix. This extra condition adds confusion without effect; consider simplifying runs-on to a single runner or removing the unused swift branch.
| runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} | |
| runs-on: ubuntu-latest |
| build-mode: none | ||
| steps: | ||
| - name: Checkout repository | ||
| uses: actions/checkout@v4 |
There was a problem hiding this comment.
This workflow uses actions/checkout@v4 while other workflows in the repo use actions/checkout@v6 (e.g., .github/workflows/test.yml, .github/workflows/release.yml). Consider bumping to @v6 for consistency and to pick up the latest fixes.
| uses: actions/checkout@v4 | |
| uses: actions/checkout@v6 |
|
@copilot can you fix all feedback in a follow up PR? |
|
@copilot please fix all feedback in a follow-up PR |
This pull request introduces a new GitHub Actions workflow to enable advanced CodeQL security analysis for the repository. The workflow is triggered on pushes, pull requests, and a weekly schedule, and it supports multiple languages.
Security and CI improvements:
.github/workflows/codeql.ymlworkflow that runs CodeQL analysis foractionsandpythoncode on main branch pushes, pull requests, and on a weekly schedule. The workflow checks out the code, initializes CodeQL for each language, and performs security analysis, with results uploaded to GitHub Security tab.