From e9e61fa8c052f1045413e59e01578382e8892072 Mon Sep 17 00:00:00 2001 From: "Jonathan D.A. Jewell" <6759885+hyperpolymath@users.noreply.github.com> Date: Sat, 16 May 2026 17:42:31 +0100 Subject: [PATCH 01/14] fix(ci): CodeQL language-aware detect (no more false-red on non-JS/TS repos) --- .github/workflows/codeql.yml | 52 ++++++++++++++++++++++++++++++------ 1 file changed, 44 insertions(+), 8 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 9c9bff0..ee15d90 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -8,11 +8,49 @@ on: branches: [main, master] schedule: - cron: '0 6 * * 1' +# Estate guardrail: cancel superseded runs so re-pushes don't pile up +# queued runs across the estate. Safe here because this workflow only +# performs read-only checks/lint/test/scan with no publish or mutation. +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true -permissions: read-all +permissions: + contents: read jobs: + # The estate is heterogeneous (Rust, Idris2, Agda, Elixir, ReScript, + # occasional JS/TS/Python). A hard-coded `javascript-typescript` matrix + # made CodeQL exit with a "no source / configuration error" on every + # non-JS/TS repo — a permanent false-red `analyze` on most repos' main. + # Detect the languages the repo ACTUALLY contains and only analyse the + # CodeQL-supported, buildless-safe ones; skip entirely when none apply. + detect: + runs-on: ubuntu-latest + outputs: + langs: ${{ steps.pick.outputs.langs }} + steps: + - name: Pick CodeQL languages from repo language stats + id: pick + env: + GH_TOKEN: ${{ github.token }} + run: | + stats=$(gh api "repos/${{ github.repository }}/languages" --jq 'keys[]' 2>/dev/null || echo "") + out="" + add() { out="$out $1"; } + echo "$stats" | grep -qix 'Rust' && add rust + echo "$stats" | grep -qixE 'JavaScript|TypeScript' && add javascript-typescript + echo "$stats" | grep -qix 'Python' && add python + echo "$stats" | grep -qix 'Ruby' && add ruby + echo "$stats" | grep -qix 'Go' && add go + arr=$(printf '%s\n' $out | grep . | sort -u | jq -R . | jq -s -c .) + [ -z "$arr" ] && arr='[]' + echo "Detected CodeQL languages: $arr" + echo "langs=$arr" >> "$GITHUB_OUTPUT" + analyze: + needs: detect + if: needs.detect.outputs.langs != '[]' runs-on: ubuntu-latest permissions: contents: read @@ -20,21 +58,19 @@ jobs: strategy: fail-fast: false matrix: - include: - - language: javascript-typescript - build-mode: none + language: ${{ fromJSON(needs.detect.outputs.langs) }} steps: - name: Checkout - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Initialize CodeQL - uses: github/codeql-action/init@662472033e021d55d94146f66f6058822b0b39fd # v3.28.1 + uses: github/codeql-action/init@0d579ffd059c29b07949a3cce3983f0780820c98 # v3.28.1 with: languages: ${{ matrix.language }} - build-mode: ${{ matrix.build-mode }} + build-mode: none - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@662472033e021d55d94146f66f6058822b0b39fd # v3.28.1 + uses: github/codeql-action/analyze@0d579ffd059c29b07949a3cce3983f0780820c98 # v3.28.1 with: category: "/language:${{ matrix.language }}" From cdf9132023887c67eeaa5e13d9b1d513b67279cd Mon Sep 17 00:00:00 2001 From: "Jonathan D.A. Jewell" <6759885+hyperpolymath@users.noreply.github.com> Date: Sat, 16 May 2026 17:42:33 +0100 Subject: [PATCH 02/14] fix(ci): CodeQL language-aware detect (no more false-red on non-JS/TS repos) --- bitfuckit/.github/workflows/codeql.yml | 54 +++++++++++++++++++++----- 1 file changed, 45 insertions(+), 9 deletions(-) diff --git a/bitfuckit/.github/workflows/codeql.yml b/bitfuckit/.github/workflows/codeql.yml index 7f6e34d..ee15d90 100644 --- a/bitfuckit/.github/workflows/codeql.yml +++ b/bitfuckit/.github/workflows/codeql.yml @@ -1,4 +1,4 @@ -# SPDX-License-Identifier: MPL-2.0-or-later +# SPDX-License-Identifier: PMPL-1.0-or-later name: CodeQL Security Analysis on: @@ -8,11 +8,49 @@ on: branches: [main, master] schedule: - cron: '0 6 * * 1' +# Estate guardrail: cancel superseded runs so re-pushes don't pile up +# queued runs across the estate. Safe here because this workflow only +# performs read-only checks/lint/test/scan with no publish or mutation. +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true -permissions: read-all +permissions: + contents: read jobs: + # The estate is heterogeneous (Rust, Idris2, Agda, Elixir, ReScript, + # occasional JS/TS/Python). A hard-coded `javascript-typescript` matrix + # made CodeQL exit with a "no source / configuration error" on every + # non-JS/TS repo — a permanent false-red `analyze` on most repos' main. + # Detect the languages the repo ACTUALLY contains and only analyse the + # CodeQL-supported, buildless-safe ones; skip entirely when none apply. + detect: + runs-on: ubuntu-latest + outputs: + langs: ${{ steps.pick.outputs.langs }} + steps: + - name: Pick CodeQL languages from repo language stats + id: pick + env: + GH_TOKEN: ${{ github.token }} + run: | + stats=$(gh api "repos/${{ github.repository }}/languages" --jq 'keys[]' 2>/dev/null || echo "") + out="" + add() { out="$out $1"; } + echo "$stats" | grep -qix 'Rust' && add rust + echo "$stats" | grep -qixE 'JavaScript|TypeScript' && add javascript-typescript + echo "$stats" | grep -qix 'Python' && add python + echo "$stats" | grep -qix 'Ruby' && add ruby + echo "$stats" | grep -qix 'Go' && add go + arr=$(printf '%s\n' $out | grep . | sort -u | jq -R . | jq -s -c .) + [ -z "$arr" ] && arr='[]' + echo "Detected CodeQL languages: $arr" + echo "langs=$arr" >> "$GITHUB_OUTPUT" + analyze: + needs: detect + if: needs.detect.outputs.langs != '[]' runs-on: ubuntu-latest permissions: contents: read @@ -20,21 +58,19 @@ jobs: strategy: fail-fast: false matrix: - include: - - language: javascript-typescript - build-mode: none + language: ${{ fromJSON(needs.detect.outputs.langs) }} steps: - name: Checkout - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Initialize CodeQL - uses: github/codeql-action/init@662472033e021d55d94146f66f6058822b0b39fd # v3.28.1 + uses: github/codeql-action/init@0d579ffd059c29b07949a3cce3983f0780820c98 # v3.28.1 with: languages: ${{ matrix.language }} - build-mode: ${{ matrix.build-mode }} + build-mode: none - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@662472033e021d55d94146f66f6058822b0b39fd # v3.28.1 + uses: github/codeql-action/analyze@0d579ffd059c29b07949a3cce3983f0780820c98 # v3.28.1 with: category: "/language:${{ matrix.language }}" From 49e21d5b9521133d7d9a06849a838885adcfb4cd Mon Sep 17 00:00:00 2001 From: "Jonathan D.A. Jewell" <6759885+hyperpolymath@users.noreply.github.com> Date: Sat, 16 May 2026 17:42:35 +0100 Subject: [PATCH 03/14] fix(ci): CodeQL language-aware detect (no more false-red on non-JS/TS repos) --- contractiles/.github/workflows/codeql.yml | 54 +++++++++++++++++++---- 1 file changed, 45 insertions(+), 9 deletions(-) diff --git a/contractiles/.github/workflows/codeql.yml b/contractiles/.github/workflows/codeql.yml index 268e4c8..ee15d90 100644 --- a/contractiles/.github/workflows/codeql.yml +++ b/contractiles/.github/workflows/codeql.yml @@ -1,4 +1,4 @@ -# SPDX-License-Identifier: PMPL-1.0 +# SPDX-License-Identifier: PMPL-1.0-or-later name: CodeQL Security Analysis on: @@ -8,11 +8,49 @@ on: branches: [main, master] schedule: - cron: '0 6 * * 1' +# Estate guardrail: cancel superseded runs so re-pushes don't pile up +# queued runs across the estate. Safe here because this workflow only +# performs read-only checks/lint/test/scan with no publish or mutation. +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true -permissions: read-all +permissions: + contents: read jobs: + # The estate is heterogeneous (Rust, Idris2, Agda, Elixir, ReScript, + # occasional JS/TS/Python). A hard-coded `javascript-typescript` matrix + # made CodeQL exit with a "no source / configuration error" on every + # non-JS/TS repo — a permanent false-red `analyze` on most repos' main. + # Detect the languages the repo ACTUALLY contains and only analyse the + # CodeQL-supported, buildless-safe ones; skip entirely when none apply. + detect: + runs-on: ubuntu-latest + outputs: + langs: ${{ steps.pick.outputs.langs }} + steps: + - name: Pick CodeQL languages from repo language stats + id: pick + env: + GH_TOKEN: ${{ github.token }} + run: | + stats=$(gh api "repos/${{ github.repository }}/languages" --jq 'keys[]' 2>/dev/null || echo "") + out="" + add() { out="$out $1"; } + echo "$stats" | grep -qix 'Rust' && add rust + echo "$stats" | grep -qixE 'JavaScript|TypeScript' && add javascript-typescript + echo "$stats" | grep -qix 'Python' && add python + echo "$stats" | grep -qix 'Ruby' && add ruby + echo "$stats" | grep -qix 'Go' && add go + arr=$(printf '%s\n' $out | grep . | sort -u | jq -R . | jq -s -c .) + [ -z "$arr" ] && arr='[]' + echo "Detected CodeQL languages: $arr" + echo "langs=$arr" >> "$GITHUB_OUTPUT" + analyze: + needs: detect + if: needs.detect.outputs.langs != '[]' runs-on: ubuntu-latest permissions: contents: read @@ -20,21 +58,19 @@ jobs: strategy: fail-fast: false matrix: - include: - - language: javascript-typescript - build-mode: none + language: ${{ fromJSON(needs.detect.outputs.langs) }} steps: - name: Checkout - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Initialize CodeQL - uses: github/codeql-action/init@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v3.28.1 + uses: github/codeql-action/init@0d579ffd059c29b07949a3cce3983f0780820c98 # v3.28.1 with: languages: ${{ matrix.language }} - build-mode: ${{ matrix.build-mode }} + build-mode: none - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v3.28.1 + uses: github/codeql-action/analyze@0d579ffd059c29b07949a3cce3983f0780820c98 # v3.28.1 with: category: "/language:${{ matrix.language }}" From 2413e0b541feb97f4070b3d903665058ad53977a Mon Sep 17 00:00:00 2001 From: "Jonathan D.A. Jewell" <6759885+hyperpolymath@users.noreply.github.com> Date: Sat, 16 May 2026 17:42:37 +0100 Subject: [PATCH 04/14] fix(ci): CodeQL language-aware detect (no more false-red on non-JS/TS repos) --- .../runners/must/.github/workflows/codeql.yml | 52 ++++++++++++++++--- 1 file changed, 44 insertions(+), 8 deletions(-) diff --git a/contractiles/runners/must/.github/workflows/codeql.yml b/contractiles/runners/must/.github/workflows/codeql.yml index 3575cd9..ee15d90 100644 --- a/contractiles/runners/must/.github/workflows/codeql.yml +++ b/contractiles/runners/must/.github/workflows/codeql.yml @@ -8,11 +8,49 @@ on: branches: [main, master] schedule: - cron: '0 6 * * 1' +# Estate guardrail: cancel superseded runs so re-pushes don't pile up +# queued runs across the estate. Safe here because this workflow only +# performs read-only checks/lint/test/scan with no publish or mutation. +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true -permissions: read-all +permissions: + contents: read jobs: + # The estate is heterogeneous (Rust, Idris2, Agda, Elixir, ReScript, + # occasional JS/TS/Python). A hard-coded `javascript-typescript` matrix + # made CodeQL exit with a "no source / configuration error" on every + # non-JS/TS repo — a permanent false-red `analyze` on most repos' main. + # Detect the languages the repo ACTUALLY contains and only analyse the + # CodeQL-supported, buildless-safe ones; skip entirely when none apply. + detect: + runs-on: ubuntu-latest + outputs: + langs: ${{ steps.pick.outputs.langs }} + steps: + - name: Pick CodeQL languages from repo language stats + id: pick + env: + GH_TOKEN: ${{ github.token }} + run: | + stats=$(gh api "repos/${{ github.repository }}/languages" --jq 'keys[]' 2>/dev/null || echo "") + out="" + add() { out="$out $1"; } + echo "$stats" | grep -qix 'Rust' && add rust + echo "$stats" | grep -qixE 'JavaScript|TypeScript' && add javascript-typescript + echo "$stats" | grep -qix 'Python' && add python + echo "$stats" | grep -qix 'Ruby' && add ruby + echo "$stats" | grep -qix 'Go' && add go + arr=$(printf '%s\n' $out | grep . | sort -u | jq -R . | jq -s -c .) + [ -z "$arr" ] && arr='[]' + echo "Detected CodeQL languages: $arr" + echo "langs=$arr" >> "$GITHUB_OUTPUT" + analyze: + needs: detect + if: needs.detect.outputs.langs != '[]' runs-on: ubuntu-latest permissions: contents: read @@ -20,21 +58,19 @@ jobs: strategy: fail-fast: false matrix: - include: - - language: javascript-typescript - build-mode: none + language: ${{ fromJSON(needs.detect.outputs.langs) }} steps: - name: Checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Initialize CodeQL - uses: github/codeql-action/init@662472033e021d55d94146f66f6058822b0b39fd # v3.28.1 + uses: github/codeql-action/init@0d579ffd059c29b07949a3cce3983f0780820c98 # v3.28.1 with: languages: ${{ matrix.language }} - build-mode: ${{ matrix.build-mode }} + build-mode: none - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@662472033e021d55d94146f66f6058822b0b39fd # v3.28.1 + uses: github/codeql-action/analyze@0d579ffd059c29b07949a3cce3983f0780820c98 # v3.28.1 with: category: "/language:${{ matrix.language }}" From e90c065402f057a3eeb5099f23874fc490bcb28f Mon Sep 17 00:00:00 2001 From: "Jonathan D.A. Jewell" <6759885+hyperpolymath@users.noreply.github.com> Date: Sat, 16 May 2026 17:42:40 +0100 Subject: [PATCH 05/14] fix(ci): CodeQL language-aware detect (no more false-red on non-JS/TS repos) --- .../.github/workflows/codeql.yml | 52 ++++++++++++++++--- 1 file changed, 44 insertions(+), 8 deletions(-) diff --git a/recon-silly-ation/.github/workflows/codeql.yml b/recon-silly-ation/.github/workflows/codeql.yml index 3575cd9..ee15d90 100644 --- a/recon-silly-ation/.github/workflows/codeql.yml +++ b/recon-silly-ation/.github/workflows/codeql.yml @@ -8,11 +8,49 @@ on: branches: [main, master] schedule: - cron: '0 6 * * 1' +# Estate guardrail: cancel superseded runs so re-pushes don't pile up +# queued runs across the estate. Safe here because this workflow only +# performs read-only checks/lint/test/scan with no publish or mutation. +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true -permissions: read-all +permissions: + contents: read jobs: + # The estate is heterogeneous (Rust, Idris2, Agda, Elixir, ReScript, + # occasional JS/TS/Python). A hard-coded `javascript-typescript` matrix + # made CodeQL exit with a "no source / configuration error" on every + # non-JS/TS repo — a permanent false-red `analyze` on most repos' main. + # Detect the languages the repo ACTUALLY contains and only analyse the + # CodeQL-supported, buildless-safe ones; skip entirely when none apply. + detect: + runs-on: ubuntu-latest + outputs: + langs: ${{ steps.pick.outputs.langs }} + steps: + - name: Pick CodeQL languages from repo language stats + id: pick + env: + GH_TOKEN: ${{ github.token }} + run: | + stats=$(gh api "repos/${{ github.repository }}/languages" --jq 'keys[]' 2>/dev/null || echo "") + out="" + add() { out="$out $1"; } + echo "$stats" | grep -qix 'Rust' && add rust + echo "$stats" | grep -qixE 'JavaScript|TypeScript' && add javascript-typescript + echo "$stats" | grep -qix 'Python' && add python + echo "$stats" | grep -qix 'Ruby' && add ruby + echo "$stats" | grep -qix 'Go' && add go + arr=$(printf '%s\n' $out | grep . | sort -u | jq -R . | jq -s -c .) + [ -z "$arr" ] && arr='[]' + echo "Detected CodeQL languages: $arr" + echo "langs=$arr" >> "$GITHUB_OUTPUT" + analyze: + needs: detect + if: needs.detect.outputs.langs != '[]' runs-on: ubuntu-latest permissions: contents: read @@ -20,21 +58,19 @@ jobs: strategy: fail-fast: false matrix: - include: - - language: javascript-typescript - build-mode: none + language: ${{ fromJSON(needs.detect.outputs.langs) }} steps: - name: Checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Initialize CodeQL - uses: github/codeql-action/init@662472033e021d55d94146f66f6058822b0b39fd # v3.28.1 + uses: github/codeql-action/init@0d579ffd059c29b07949a3cce3983f0780820c98 # v3.28.1 with: languages: ${{ matrix.language }} - build-mode: ${{ matrix.build-mode }} + build-mode: none - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@662472033e021d55d94146f66f6058822b0b39fd # v3.28.1 + uses: github/codeql-action/analyze@0d579ffd059c29b07949a3cce3983f0780820c98 # v3.28.1 with: category: "/language:${{ matrix.language }}" From 657f11d56ba6cdbfc3a0c0d781fa53fea4ea05ef Mon Sep 17 00:00:00 2001 From: "Jonathan D.A. Jewell" <6759885+hyperpolymath@users.noreply.github.com> Date: Sat, 16 May 2026 17:42:42 +0100 Subject: [PATCH 06/14] fix(ci): CodeQL language-aware detect (no more false-red on non-JS/TS repos) --- rpa-elysium/.github/workflows/codeql.yml | 49 ++++++++++++++++++++---- 1 file changed, 41 insertions(+), 8 deletions(-) diff --git a/rpa-elysium/.github/workflows/codeql.yml b/rpa-elysium/.github/workflows/codeql.yml index 011b5ab..ee15d90 100644 --- a/rpa-elysium/.github/workflows/codeql.yml +++ b/rpa-elysium/.github/workflows/codeql.yml @@ -8,12 +8,49 @@ on: branches: [main, master] schedule: - cron: '0 6 * * 1' +# Estate guardrail: cancel superseded runs so re-pushes don't pile up +# queued runs across the estate. Safe here because this workflow only +# performs read-only checks/lint/test/scan with no publish or mutation. +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true permissions: contents: read jobs: + # The estate is heterogeneous (Rust, Idris2, Agda, Elixir, ReScript, + # occasional JS/TS/Python). A hard-coded `javascript-typescript` matrix + # made CodeQL exit with a "no source / configuration error" on every + # non-JS/TS repo — a permanent false-red `analyze` on most repos' main. + # Detect the languages the repo ACTUALLY contains and only analyse the + # CodeQL-supported, buildless-safe ones; skip entirely when none apply. + detect: + runs-on: ubuntu-latest + outputs: + langs: ${{ steps.pick.outputs.langs }} + steps: + - name: Pick CodeQL languages from repo language stats + id: pick + env: + GH_TOKEN: ${{ github.token }} + run: | + stats=$(gh api "repos/${{ github.repository }}/languages" --jq 'keys[]' 2>/dev/null || echo "") + out="" + add() { out="$out $1"; } + echo "$stats" | grep -qix 'Rust' && add rust + echo "$stats" | grep -qixE 'JavaScript|TypeScript' && add javascript-typescript + echo "$stats" | grep -qix 'Python' && add python + echo "$stats" | grep -qix 'Ruby' && add ruby + echo "$stats" | grep -qix 'Go' && add go + arr=$(printf '%s\n' $out | grep . | sort -u | jq -R . | jq -s -c .) + [ -z "$arr" ] && arr='[]' + echo "Detected CodeQL languages: $arr" + echo "langs=$arr" >> "$GITHUB_OUTPUT" + analyze: + needs: detect + if: needs.detect.outputs.langs != '[]' runs-on: ubuntu-latest permissions: contents: read @@ -21,23 +58,19 @@ jobs: strategy: fail-fast: false matrix: - include: - # Rust is not supported by CodeQL — scan workflow actions only - # When JS/ReScript is added, add: javascript-typescript - - language: actions - build-mode: none + language: ${{ fromJSON(needs.detect.outputs.langs) }} steps: - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Initialize CodeQL - uses: github/codeql-action/init@38697555549f1db7851b81482ff19f1fa5c4fedc # v3.28.1 + uses: github/codeql-action/init@0d579ffd059c29b07949a3cce3983f0780820c98 # v3.28.1 with: languages: ${{ matrix.language }} - build-mode: ${{ matrix.build-mode }} + build-mode: none - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@38697555549f1db7851b81482ff19f1fa5c4fedc # v3.28.1 + uses: github/codeql-action/analyze@0d579ffd059c29b07949a3cce3983f0780820c98 # v3.28.1 with: category: "/language:${{ matrix.language }}" From 4c063e702aa7622b4844b48da2cf484778d64ae9 Mon Sep 17 00:00:00 2001 From: "Jonathan D.A. Jewell" <6759885+hyperpolymath@users.noreply.github.com> Date: Sat, 16 May 2026 17:42:44 +0100 Subject: [PATCH 07/14] fix(ci): CodeQL language-aware detect (no more false-red on non-JS/TS repos) --- scaffoldia/.github/workflows/codeql.yml | 52 +++++++++++++++++++++---- 1 file changed, 44 insertions(+), 8 deletions(-) diff --git a/scaffoldia/.github/workflows/codeql.yml b/scaffoldia/.github/workflows/codeql.yml index 6368f07..ee15d90 100644 --- a/scaffoldia/.github/workflows/codeql.yml +++ b/scaffoldia/.github/workflows/codeql.yml @@ -8,11 +8,49 @@ on: branches: [main, master] schedule: - cron: '0 6 * * 1' +# Estate guardrail: cancel superseded runs so re-pushes don't pile up +# queued runs across the estate. Safe here because this workflow only +# performs read-only checks/lint/test/scan with no publish or mutation. +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true -permissions: read-all +permissions: + contents: read jobs: + # The estate is heterogeneous (Rust, Idris2, Agda, Elixir, ReScript, + # occasional JS/TS/Python). A hard-coded `javascript-typescript` matrix + # made CodeQL exit with a "no source / configuration error" on every + # non-JS/TS repo — a permanent false-red `analyze` on most repos' main. + # Detect the languages the repo ACTUALLY contains and only analyse the + # CodeQL-supported, buildless-safe ones; skip entirely when none apply. + detect: + runs-on: ubuntu-latest + outputs: + langs: ${{ steps.pick.outputs.langs }} + steps: + - name: Pick CodeQL languages from repo language stats + id: pick + env: + GH_TOKEN: ${{ github.token }} + run: | + stats=$(gh api "repos/${{ github.repository }}/languages" --jq 'keys[]' 2>/dev/null || echo "") + out="" + add() { out="$out $1"; } + echo "$stats" | grep -qix 'Rust' && add rust + echo "$stats" | grep -qixE 'JavaScript|TypeScript' && add javascript-typescript + echo "$stats" | grep -qix 'Python' && add python + echo "$stats" | grep -qix 'Ruby' && add ruby + echo "$stats" | grep -qix 'Go' && add go + arr=$(printf '%s\n' $out | grep . | sort -u | jq -R . | jq -s -c .) + [ -z "$arr" ] && arr='[]' + echo "Detected CodeQL languages: $arr" + echo "langs=$arr" >> "$GITHUB_OUTPUT" + analyze: + needs: detect + if: needs.detect.outputs.langs != '[]' runs-on: ubuntu-latest permissions: contents: read @@ -20,21 +58,19 @@ jobs: strategy: fail-fast: false matrix: - include: - - language: actions - build-mode: none + language: ${{ fromJSON(needs.detect.outputs.langs) }} steps: - name: Checkout - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Initialize CodeQL - uses: github/codeql-action/init@cdefb33c0f6224e58673d9004f47f7cb3e328b89 # v3.28.1 + uses: github/codeql-action/init@0d579ffd059c29b07949a3cce3983f0780820c98 # v3.28.1 with: languages: ${{ matrix.language }} - build-mode: ${{ matrix.build-mode }} + build-mode: none - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@cdefb33c0f6224e58673d9004f47f7cb3e328b89 # v3.28.1 + uses: github/codeql-action/analyze@0d579ffd059c29b07949a3cce3983f0780820c98 # v3.28.1 with: category: "/language:${{ matrix.language }}" From de83f28fc731ac7a5ef48976ab079f0b24fb00ff Mon Sep 17 00:00:00 2001 From: "Jonathan D.A. Jewell" <6759885+hyperpolymath@users.noreply.github.com> Date: Sat, 16 May 2026 17:42:46 +0100 Subject: [PATCH 08/14] fix(ci): CodeQL language-aware detect (no more false-red on non-JS/TS repos) --- .../.github/workflows/codeql.yml | 72 +++++++++++++------ 1 file changed, 50 insertions(+), 22 deletions(-) diff --git a/stateful-artefacts/.github/workflows/codeql.yml b/stateful-artefacts/.github/workflows/codeql.yml index 1d8e329..ee15d90 100644 --- a/stateful-artefacts/.github/workflows/codeql.yml +++ b/stateful-artefacts/.github/workflows/codeql.yml @@ -1,48 +1,76 @@ -# SPDX-License-Identifier: MPL-2.0-or-later +# SPDX-License-Identifier: PMPL-1.0-or-later name: CodeQL Security Analysis on: push: - branches: [main] + branches: [main, master] pull_request: - branches: [main] + branches: [main, master] schedule: - # Run at 00:00 UTC every Monday - - cron: '0 0 * * 1' - workflow_dispatch: + - cron: '0 6 * * 1' +# Estate guardrail: cancel superseded runs so re-pushes don't pile up +# queued runs across the estate. Safe here because this workflow only +# performs read-only checks/lint/test/scan with no publish or mutation. +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true permissions: - actions: read contents: read - security-events: write jobs: - analyze: - name: Analyze Code + # The estate is heterogeneous (Rust, Idris2, Agda, Elixir, ReScript, + # occasional JS/TS/Python). A hard-coded `javascript-typescript` matrix + # made CodeQL exit with a "no source / configuration error" on every + # non-JS/TS repo — a permanent false-red `analyze` on most repos' main. + # Detect the languages the repo ACTUALLY contains and only analyse the + # CodeQL-supported, buildless-safe ones; skip entirely when none apply. + detect: runs-on: ubuntu-latest - timeout-minutes: 360 + outputs: + langs: ${{ steps.pick.outputs.langs }} + steps: + - name: Pick CodeQL languages from repo language stats + id: pick + env: + GH_TOKEN: ${{ github.token }} + run: | + stats=$(gh api "repos/${{ github.repository }}/languages" --jq 'keys[]' 2>/dev/null || echo "") + out="" + add() { out="$out $1"; } + echo "$stats" | grep -qix 'Rust' && add rust + echo "$stats" | grep -qixE 'JavaScript|TypeScript' && add javascript-typescript + echo "$stats" | grep -qix 'Python' && add python + echo "$stats" | grep -qix 'Ruby' && add ruby + echo "$stats" | grep -qix 'Go' && add go + arr=$(printf '%s\n' $out | grep . | sort -u | jq -R . | jq -s -c .) + [ -z "$arr" ] && arr='[]' + echo "Detected CodeQL languages: $arr" + echo "langs=$arr" >> "$GITHUB_OUTPUT" + analyze: + needs: detect + if: needs.detect.outputs.langs != '[]' + runs-on: ubuntu-latest + permissions: + contents: read + security-events: write strategy: fail-fast: false matrix: - # CodeQL supports: 'cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'swift' - # Haskell is not directly supported, so we use 'actions' to scan workflow files - language: ['actions'] + language: ${{ fromJSON(needs.detect.outputs.langs) }} steps: - - name: Checkout repository - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4 + - name: Checkout + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Initialize CodeQL - uses: github/codeql-action/init@662472033e021d55d94146f66f6058822b0b39fd # v3 + uses: github/codeql-action/init@0d579ffd059c29b07949a3cce3983f0780820c98 # v3.28.1 with: languages: ${{ matrix.language }} - queries: +security-extended,security-and-quality - - - name: Autobuild - uses: github/codeql-action/autobuild@662472033e021d55d94146f66f6058822b0b39fd # v3 + build-mode: none - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@662472033e021d55d94146f66f6058822b0b39fd # v3 + uses: github/codeql-action/analyze@0d579ffd059c29b07949a3cce3983f0780820c98 # v3.28.1 with: category: "/language:${{ matrix.language }}" From 6f2c0d606256e1b790defe35beff55d304984380 Mon Sep 17 00:00:00 2001 From: "Jonathan D.A. Jewell" <6759885+hyperpolymath@users.noreply.github.com> Date: Sat, 16 May 2026 17:42:48 +0100 Subject: [PATCH 09/14] fix(ci): CodeQL language-aware detect (no more false-red on non-JS/TS repos) --- tools/dispatcher/.github/workflows/codeql.yml | 52 ++++++++++++++++--- 1 file changed, 44 insertions(+), 8 deletions(-) diff --git a/tools/dispatcher/.github/workflows/codeql.yml b/tools/dispatcher/.github/workflows/codeql.yml index 3575cd9..ee15d90 100644 --- a/tools/dispatcher/.github/workflows/codeql.yml +++ b/tools/dispatcher/.github/workflows/codeql.yml @@ -8,11 +8,49 @@ on: branches: [main, master] schedule: - cron: '0 6 * * 1' +# Estate guardrail: cancel superseded runs so re-pushes don't pile up +# queued runs across the estate. Safe here because this workflow only +# performs read-only checks/lint/test/scan with no publish or mutation. +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true -permissions: read-all +permissions: + contents: read jobs: + # The estate is heterogeneous (Rust, Idris2, Agda, Elixir, ReScript, + # occasional JS/TS/Python). A hard-coded `javascript-typescript` matrix + # made CodeQL exit with a "no source / configuration error" on every + # non-JS/TS repo — a permanent false-red `analyze` on most repos' main. + # Detect the languages the repo ACTUALLY contains and only analyse the + # CodeQL-supported, buildless-safe ones; skip entirely when none apply. + detect: + runs-on: ubuntu-latest + outputs: + langs: ${{ steps.pick.outputs.langs }} + steps: + - name: Pick CodeQL languages from repo language stats + id: pick + env: + GH_TOKEN: ${{ github.token }} + run: | + stats=$(gh api "repos/${{ github.repository }}/languages" --jq 'keys[]' 2>/dev/null || echo "") + out="" + add() { out="$out $1"; } + echo "$stats" | grep -qix 'Rust' && add rust + echo "$stats" | grep -qixE 'JavaScript|TypeScript' && add javascript-typescript + echo "$stats" | grep -qix 'Python' && add python + echo "$stats" | grep -qix 'Ruby' && add ruby + echo "$stats" | grep -qix 'Go' && add go + arr=$(printf '%s\n' $out | grep . | sort -u | jq -R . | jq -s -c .) + [ -z "$arr" ] && arr='[]' + echo "Detected CodeQL languages: $arr" + echo "langs=$arr" >> "$GITHUB_OUTPUT" + analyze: + needs: detect + if: needs.detect.outputs.langs != '[]' runs-on: ubuntu-latest permissions: contents: read @@ -20,21 +58,19 @@ jobs: strategy: fail-fast: false matrix: - include: - - language: javascript-typescript - build-mode: none + language: ${{ fromJSON(needs.detect.outputs.langs) }} steps: - name: Checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Initialize CodeQL - uses: github/codeql-action/init@662472033e021d55d94146f66f6058822b0b39fd # v3.28.1 + uses: github/codeql-action/init@0d579ffd059c29b07949a3cce3983f0780820c98 # v3.28.1 with: languages: ${{ matrix.language }} - build-mode: ${{ matrix.build-mode }} + build-mode: none - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@662472033e021d55d94146f66f6058822b0b39fd # v3.28.1 + uses: github/codeql-action/analyze@0d579ffd059c29b07949a3cce3983f0780820c98 # v3.28.1 with: category: "/language:${{ matrix.language }}" From 97ee21d0a061bc1c54a698f6514e7818eee2712b Mon Sep 17 00:00:00 2001 From: "Jonathan D.A. Jewell" <6759885+hyperpolymath@users.noreply.github.com> Date: Sat, 16 May 2026 17:42:50 +0100 Subject: [PATCH 10/14] fix(ci): CodeQL language-aware detect (no more false-red on non-JS/TS repos) --- tools/hud/.github/workflows/codeql.yml | 52 ++++++++++++++++++++++---- 1 file changed, 44 insertions(+), 8 deletions(-) diff --git a/tools/hud/.github/workflows/codeql.yml b/tools/hud/.github/workflows/codeql.yml index 5148cf4..ee15d90 100644 --- a/tools/hud/.github/workflows/codeql.yml +++ b/tools/hud/.github/workflows/codeql.yml @@ -8,11 +8,49 @@ on: branches: [main, master] schedule: - cron: '0 6 * * 1' +# Estate guardrail: cancel superseded runs so re-pushes don't pile up +# queued runs across the estate. Safe here because this workflow only +# performs read-only checks/lint/test/scan with no publish or mutation. +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true -permissions: read-all +permissions: + contents: read jobs: + # The estate is heterogeneous (Rust, Idris2, Agda, Elixir, ReScript, + # occasional JS/TS/Python). A hard-coded `javascript-typescript` matrix + # made CodeQL exit with a "no source / configuration error" on every + # non-JS/TS repo — a permanent false-red `analyze` on most repos' main. + # Detect the languages the repo ACTUALLY contains and only analyse the + # CodeQL-supported, buildless-safe ones; skip entirely when none apply. + detect: + runs-on: ubuntu-latest + outputs: + langs: ${{ steps.pick.outputs.langs }} + steps: + - name: Pick CodeQL languages from repo language stats + id: pick + env: + GH_TOKEN: ${{ github.token }} + run: | + stats=$(gh api "repos/${{ github.repository }}/languages" --jq 'keys[]' 2>/dev/null || echo "") + out="" + add() { out="$out $1"; } + echo "$stats" | grep -qix 'Rust' && add rust + echo "$stats" | grep -qixE 'JavaScript|TypeScript' && add javascript-typescript + echo "$stats" | grep -qix 'Python' && add python + echo "$stats" | grep -qix 'Ruby' && add ruby + echo "$stats" | grep -qix 'Go' && add go + arr=$(printf '%s\n' $out | grep . | sort -u | jq -R . | jq -s -c .) + [ -z "$arr" ] && arr='[]' + echo "Detected CodeQL languages: $arr" + echo "langs=$arr" >> "$GITHUB_OUTPUT" + analyze: + needs: detect + if: needs.detect.outputs.langs != '[]' runs-on: ubuntu-latest permissions: contents: read @@ -20,21 +58,19 @@ jobs: strategy: fail-fast: false matrix: - include: - - language: javascript-typescript - build-mode: none + language: ${{ fromJSON(needs.detect.outputs.langs) }} steps: - name: Checkout - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Initialize CodeQL - uses: github/codeql-action/init@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v3.28.1 + uses: github/codeql-action/init@0d579ffd059c29b07949a3cce3983f0780820c98 # v3.28.1 with: languages: ${{ matrix.language }} - build-mode: ${{ matrix.build-mode }} + build-mode: none - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v3.28.1 + uses: github/codeql-action/analyze@0d579ffd059c29b07949a3cce3983f0780820c98 # v3.28.1 with: category: "/language:${{ matrix.language }}" From 0e9f4eecf9e3cca6b3b9c83b0f02463f36687721 Mon Sep 17 00:00:00 2001 From: "Jonathan D.A. Jewell" <6759885+hyperpolymath@users.noreply.github.com> Date: Sat, 16 May 2026 17:42:52 +0100 Subject: [PATCH 11/14] fix(ci): CodeQL language-aware detect (no more false-red on non-JS/TS repos) --- tools/reunify/.github/workflows/codeql.yml | 52 ++++++++++++++++++---- 1 file changed, 44 insertions(+), 8 deletions(-) diff --git a/tools/reunify/.github/workflows/codeql.yml b/tools/reunify/.github/workflows/codeql.yml index 3575cd9..ee15d90 100644 --- a/tools/reunify/.github/workflows/codeql.yml +++ b/tools/reunify/.github/workflows/codeql.yml @@ -8,11 +8,49 @@ on: branches: [main, master] schedule: - cron: '0 6 * * 1' +# Estate guardrail: cancel superseded runs so re-pushes don't pile up +# queued runs across the estate. Safe here because this workflow only +# performs read-only checks/lint/test/scan with no publish or mutation. +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true -permissions: read-all +permissions: + contents: read jobs: + # The estate is heterogeneous (Rust, Idris2, Agda, Elixir, ReScript, + # occasional JS/TS/Python). A hard-coded `javascript-typescript` matrix + # made CodeQL exit with a "no source / configuration error" on every + # non-JS/TS repo — a permanent false-red `analyze` on most repos' main. + # Detect the languages the repo ACTUALLY contains and only analyse the + # CodeQL-supported, buildless-safe ones; skip entirely when none apply. + detect: + runs-on: ubuntu-latest + outputs: + langs: ${{ steps.pick.outputs.langs }} + steps: + - name: Pick CodeQL languages from repo language stats + id: pick + env: + GH_TOKEN: ${{ github.token }} + run: | + stats=$(gh api "repos/${{ github.repository }}/languages" --jq 'keys[]' 2>/dev/null || echo "") + out="" + add() { out="$out $1"; } + echo "$stats" | grep -qix 'Rust' && add rust + echo "$stats" | grep -qixE 'JavaScript|TypeScript' && add javascript-typescript + echo "$stats" | grep -qix 'Python' && add python + echo "$stats" | grep -qix 'Ruby' && add ruby + echo "$stats" | grep -qix 'Go' && add go + arr=$(printf '%s\n' $out | grep . | sort -u | jq -R . | jq -s -c .) + [ -z "$arr" ] && arr='[]' + echo "Detected CodeQL languages: $arr" + echo "langs=$arr" >> "$GITHUB_OUTPUT" + analyze: + needs: detect + if: needs.detect.outputs.langs != '[]' runs-on: ubuntu-latest permissions: contents: read @@ -20,21 +58,19 @@ jobs: strategy: fail-fast: false matrix: - include: - - language: javascript-typescript - build-mode: none + language: ${{ fromJSON(needs.detect.outputs.langs) }} steps: - name: Checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Initialize CodeQL - uses: github/codeql-action/init@662472033e021d55d94146f66f6058822b0b39fd # v3.28.1 + uses: github/codeql-action/init@0d579ffd059c29b07949a3cce3983f0780820c98 # v3.28.1 with: languages: ${{ matrix.language }} - build-mode: ${{ matrix.build-mode }} + build-mode: none - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@662472033e021d55d94146f66f6058822b0b39fd # v3.28.1 + uses: github/codeql-action/analyze@0d579ffd059c29b07949a3cce3983f0780820c98 # v3.28.1 with: category: "/language:${{ matrix.language }}" From 89a12db99ae49499bd5e6be5fcc09b2631aa6621 Mon Sep 17 00:00:00 2001 From: "Jonathan D.A. Jewell" <6759885+hyperpolymath@users.noreply.github.com> Date: Sat, 16 May 2026 17:42:54 +0100 Subject: [PATCH 12/14] fix(ci): CodeQL language-aware detect (no more false-red on non-JS/TS repos) --- .../.github/workflows/codeql.yml | 54 +++++++++++++++---- 1 file changed, 44 insertions(+), 10 deletions(-) diff --git a/tools/rsr-certified/.github/workflows/codeql.yml b/tools/rsr-certified/.github/workflows/codeql.yml index 32dd3ad..ee15d90 100644 --- a/tools/rsr-certified/.github/workflows/codeql.yml +++ b/tools/rsr-certified/.github/workflows/codeql.yml @@ -8,11 +8,49 @@ on: branches: [main, master] schedule: - cron: '0 6 * * 1' +# Estate guardrail: cancel superseded runs so re-pushes don't pile up +# queued runs across the estate. Safe here because this workflow only +# performs read-only checks/lint/test/scan with no publish or mutation. +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true -permissions: read-all +permissions: + contents: read jobs: + # The estate is heterogeneous (Rust, Idris2, Agda, Elixir, ReScript, + # occasional JS/TS/Python). A hard-coded `javascript-typescript` matrix + # made CodeQL exit with a "no source / configuration error" on every + # non-JS/TS repo — a permanent false-red `analyze` on most repos' main. + # Detect the languages the repo ACTUALLY contains and only analyse the + # CodeQL-supported, buildless-safe ones; skip entirely when none apply. + detect: + runs-on: ubuntu-latest + outputs: + langs: ${{ steps.pick.outputs.langs }} + steps: + - name: Pick CodeQL languages from repo language stats + id: pick + env: + GH_TOKEN: ${{ github.token }} + run: | + stats=$(gh api "repos/${{ github.repository }}/languages" --jq 'keys[]' 2>/dev/null || echo "") + out="" + add() { out="$out $1"; } + echo "$stats" | grep -qix 'Rust' && add rust + echo "$stats" | grep -qixE 'JavaScript|TypeScript' && add javascript-typescript + echo "$stats" | grep -qix 'Python' && add python + echo "$stats" | grep -qix 'Ruby' && add ruby + echo "$stats" | grep -qix 'Go' && add go + arr=$(printf '%s\n' $out | grep . | sort -u | jq -R . | jq -s -c .) + [ -z "$arr" ] && arr='[]' + echo "Detected CodeQL languages: $arr" + echo "langs=$arr" >> "$GITHUB_OUTPUT" + analyze: + needs: detect + if: needs.detect.outputs.langs != '[]' runs-on: ubuntu-latest permissions: contents: read @@ -20,23 +58,19 @@ jobs: strategy: fail-fast: false matrix: - include: - - language: javascript-typescript - build-mode: none - - language: rust - build-mode: none + language: ${{ fromJSON(needs.detect.outputs.langs) }} steps: - name: Checkout - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Initialize CodeQL - uses: github/codeql-action/init@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v3.28.1 + uses: github/codeql-action/init@0d579ffd059c29b07949a3cce3983f0780820c98 # v3.28.1 with: languages: ${{ matrix.language }} - build-mode: ${{ matrix.build-mode }} + build-mode: none - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v3.28.1 + uses: github/codeql-action/analyze@0d579ffd059c29b07949a3cce3983f0780820c98 # v3.28.1 with: category: "/language:${{ matrix.language }}" From ed8a052b281f9f49318735738320ee3cb7e398ef Mon Sep 17 00:00:00 2001 From: "Jonathan D.A. Jewell" <6759885+hyperpolymath@users.noreply.github.com> Date: Sat, 16 May 2026 17:42:56 +0100 Subject: [PATCH 13/14] fix(ci): CodeQL language-aware detect (no more false-red on non-JS/TS repos) --- total-recall/.github/workflows/codeql.yml | 143 +++++++++------------- 1 file changed, 60 insertions(+), 83 deletions(-) diff --git a/total-recall/.github/workflows/codeql.yml b/total-recall/.github/workflows/codeql.yml index 8a68d55..ee15d90 100644 --- a/total-recall/.github/workflows/codeql.yml +++ b/total-recall/.github/workflows/codeql.yml @@ -1,99 +1,76 @@ -# For most projects, this workflow file will not need changing; you simply need -# to commit it to your repository. -# -# You may wish to alter this file to override the set of languages analyzed, -# or to provide custom queries or build logic. -# -# ******** NOTE ******** -# We have attempted to detect the languages in your repository. Please check -# the `language` matrix defined below to confirm you have the correct set of -# supported CodeQL languages. -# -name: "CodeQL Advanced" +# SPDX-License-Identifier: PMPL-1.0-or-later +name: CodeQL Security Analysis on: push: - branches: [ "main" ] + branches: [main, master] pull_request: - branches: [ "main" ] + branches: [main, master] schedule: - - cron: '16 7 * * 1' + - cron: '0 6 * * 1' +# Estate guardrail: cancel superseded runs so re-pushes don't pile up +# queued runs across the estate. Safe here because this workflow only +# performs read-only checks/lint/test/scan with no publish or mutation. +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +permissions: + contents: read jobs: + # The estate is heterogeneous (Rust, Idris2, Agda, Elixir, ReScript, + # occasional JS/TS/Python). A hard-coded `javascript-typescript` matrix + # made CodeQL exit with a "no source / configuration error" on every + # non-JS/TS repo — a permanent false-red `analyze` on most repos' main. + # Detect the languages the repo ACTUALLY contains and only analyse the + # CodeQL-supported, buildless-safe ones; skip entirely when none apply. + detect: + runs-on: ubuntu-latest + outputs: + langs: ${{ steps.pick.outputs.langs }} + steps: + - name: Pick CodeQL languages from repo language stats + id: pick + env: + GH_TOKEN: ${{ github.token }} + run: | + stats=$(gh api "repos/${{ github.repository }}/languages" --jq 'keys[]' 2>/dev/null || echo "") + out="" + add() { out="$out $1"; } + echo "$stats" | grep -qix 'Rust' && add rust + echo "$stats" | grep -qixE 'JavaScript|TypeScript' && add javascript-typescript + echo "$stats" | grep -qix 'Python' && add python + echo "$stats" | grep -qix 'Ruby' && add ruby + echo "$stats" | grep -qix 'Go' && add go + arr=$(printf '%s\n' $out | grep . | sort -u | jq -R . | jq -s -c .) + [ -z "$arr" ] && arr='[]' + echo "Detected CodeQL languages: $arr" + echo "langs=$arr" >> "$GITHUB_OUTPUT" + analyze: - name: Analyze (${{ matrix.language }}) - # Runner size impacts CodeQL analysis time. To learn more, please see: - # - https://gh.io/recommended-hardware-resources-for-running-codeql - # - https://gh.io/supported-runners-and-hardware-resources - # - https://gh.io/using-larger-runners (GitHub.com only) - # Consider using larger runners or machines with greater resources for possible analysis time improvements. - runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} + needs: detect + if: needs.detect.outputs.langs != '[]' + runs-on: ubuntu-latest permissions: - # required for all workflows - security-events: write - - # required to fetch internal or private CodeQL packs - packages: read - - # only required for workflows in private repositories - actions: read contents: read - + security-events: write strategy: fail-fast: false matrix: - include: - - language: actions - build-mode: none - # CodeQL supports the following values keywords for 'language': 'actions', 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'rust', 'swift' - # Use `c-cpp` to analyze code written in C, C++ or both - # Use 'java-kotlin' to analyze code written in Java, Kotlin or both - # Use 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both - # To learn more about changing the languages that are analyzed or customizing the build mode for your analysis, - # see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning. - # If you are analyzing a compiled language, you can modify the 'build-mode' for that language to customize how - # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages - steps: - - name: Checkout repository - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - - # Add any setup steps before running the `github/codeql-action/init` action. - # This includes steps like installing compilers or runtimes (`actions/setup-node` - # or others). This is typically only required for manual builds. - # - name: Setup runtime (example) - # uses: actions/setup-example@v1 + language: ${{ fromJSON(needs.detect.outputs.langs) }} - # Initializes the CodeQL tools for scanning. - - name: Initialize CodeQL - uses: github/codeql-action/init@v4 - with: - languages: ${{ matrix.language }} - build-mode: ${{ matrix.build-mode }} - # If you wish to specify custom queries, you can do so here or in a config file. - # By default, queries listed here will override any specified in a config file. - # Prefix the list here with "+" to use these queries and those in the config file. - - # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs - # queries: security-extended,security-and-quality + steps: + - name: Checkout + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - # If the analyze step fails for one of the languages you are analyzing with - # "We were unable to automatically build your code", modify the matrix above - # to set the build mode to "manual" for that language. Then modify this step - # to build your code. - # ℹ️ Command-line programs to run using the OS shell. - # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun - - name: Run manual build steps - if: matrix.build-mode == 'manual' - shell: bash - run: | - echo 'If you are using a "manual" build mode for one or more of the' \ - 'languages you are analyzing, replace this with the commands to build' \ - 'your code, for example:' - echo ' make bootstrap' - echo ' make release' - exit 1 + - name: Initialize CodeQL + uses: github/codeql-action/init@0d579ffd059c29b07949a3cce3983f0780820c98 # v3.28.1 + with: + languages: ${{ matrix.language }} + build-mode: none - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v4 - with: - category: "/language:${{matrix.language}}" + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@0d579ffd059c29b07949a3cce3983f0780820c98 # v3.28.1 + with: + category: "/language:${{ matrix.language }}" From 40a120567e2188f28aa4e9beea26310bdc772cc1 Mon Sep 17 00:00:00 2001 From: "Jonathan D.A. Jewell" <6759885+hyperpolymath@users.noreply.github.com> Date: Sat, 16 May 2026 17:42:59 +0100 Subject: [PATCH 14/14] fix(ci): CodeQL language-aware detect (no more false-red on non-JS/TS repos) --- total-upgrade/.github/workflows/codeql.yml | 143 +++++++++------------ 1 file changed, 60 insertions(+), 83 deletions(-) diff --git a/total-upgrade/.github/workflows/codeql.yml b/total-upgrade/.github/workflows/codeql.yml index 8a68d55..ee15d90 100644 --- a/total-upgrade/.github/workflows/codeql.yml +++ b/total-upgrade/.github/workflows/codeql.yml @@ -1,99 +1,76 @@ -# For most projects, this workflow file will not need changing; you simply need -# to commit it to your repository. -# -# You may wish to alter this file to override the set of languages analyzed, -# or to provide custom queries or build logic. -# -# ******** NOTE ******** -# We have attempted to detect the languages in your repository. Please check -# the `language` matrix defined below to confirm you have the correct set of -# supported CodeQL languages. -# -name: "CodeQL Advanced" +# SPDX-License-Identifier: PMPL-1.0-or-later +name: CodeQL Security Analysis on: push: - branches: [ "main" ] + branches: [main, master] pull_request: - branches: [ "main" ] + branches: [main, master] schedule: - - cron: '16 7 * * 1' + - cron: '0 6 * * 1' +# Estate guardrail: cancel superseded runs so re-pushes don't pile up +# queued runs across the estate. Safe here because this workflow only +# performs read-only checks/lint/test/scan with no publish or mutation. +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +permissions: + contents: read jobs: + # The estate is heterogeneous (Rust, Idris2, Agda, Elixir, ReScript, + # occasional JS/TS/Python). A hard-coded `javascript-typescript` matrix + # made CodeQL exit with a "no source / configuration error" on every + # non-JS/TS repo — a permanent false-red `analyze` on most repos' main. + # Detect the languages the repo ACTUALLY contains and only analyse the + # CodeQL-supported, buildless-safe ones; skip entirely when none apply. + detect: + runs-on: ubuntu-latest + outputs: + langs: ${{ steps.pick.outputs.langs }} + steps: + - name: Pick CodeQL languages from repo language stats + id: pick + env: + GH_TOKEN: ${{ github.token }} + run: | + stats=$(gh api "repos/${{ github.repository }}/languages" --jq 'keys[]' 2>/dev/null || echo "") + out="" + add() { out="$out $1"; } + echo "$stats" | grep -qix 'Rust' && add rust + echo "$stats" | grep -qixE 'JavaScript|TypeScript' && add javascript-typescript + echo "$stats" | grep -qix 'Python' && add python + echo "$stats" | grep -qix 'Ruby' && add ruby + echo "$stats" | grep -qix 'Go' && add go + arr=$(printf '%s\n' $out | grep . | sort -u | jq -R . | jq -s -c .) + [ -z "$arr" ] && arr='[]' + echo "Detected CodeQL languages: $arr" + echo "langs=$arr" >> "$GITHUB_OUTPUT" + analyze: - name: Analyze (${{ matrix.language }}) - # Runner size impacts CodeQL analysis time. To learn more, please see: - # - https://gh.io/recommended-hardware-resources-for-running-codeql - # - https://gh.io/supported-runners-and-hardware-resources - # - https://gh.io/using-larger-runners (GitHub.com only) - # Consider using larger runners or machines with greater resources for possible analysis time improvements. - runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} + needs: detect + if: needs.detect.outputs.langs != '[]' + runs-on: ubuntu-latest permissions: - # required for all workflows - security-events: write - - # required to fetch internal or private CodeQL packs - packages: read - - # only required for workflows in private repositories - actions: read contents: read - + security-events: write strategy: fail-fast: false matrix: - include: - - language: actions - build-mode: none - # CodeQL supports the following values keywords for 'language': 'actions', 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'rust', 'swift' - # Use `c-cpp` to analyze code written in C, C++ or both - # Use 'java-kotlin' to analyze code written in Java, Kotlin or both - # Use 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both - # To learn more about changing the languages that are analyzed or customizing the build mode for your analysis, - # see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning. - # If you are analyzing a compiled language, you can modify the 'build-mode' for that language to customize how - # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages - steps: - - name: Checkout repository - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - - # Add any setup steps before running the `github/codeql-action/init` action. - # This includes steps like installing compilers or runtimes (`actions/setup-node` - # or others). This is typically only required for manual builds. - # - name: Setup runtime (example) - # uses: actions/setup-example@v1 + language: ${{ fromJSON(needs.detect.outputs.langs) }} - # Initializes the CodeQL tools for scanning. - - name: Initialize CodeQL - uses: github/codeql-action/init@v4 - with: - languages: ${{ matrix.language }} - build-mode: ${{ matrix.build-mode }} - # If you wish to specify custom queries, you can do so here or in a config file. - # By default, queries listed here will override any specified in a config file. - # Prefix the list here with "+" to use these queries and those in the config file. - - # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs - # queries: security-extended,security-and-quality + steps: + - name: Checkout + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - # If the analyze step fails for one of the languages you are analyzing with - # "We were unable to automatically build your code", modify the matrix above - # to set the build mode to "manual" for that language. Then modify this step - # to build your code. - # ℹ️ Command-line programs to run using the OS shell. - # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun - - name: Run manual build steps - if: matrix.build-mode == 'manual' - shell: bash - run: | - echo 'If you are using a "manual" build mode for one or more of the' \ - 'languages you are analyzing, replace this with the commands to build' \ - 'your code, for example:' - echo ' make bootstrap' - echo ' make release' - exit 1 + - name: Initialize CodeQL + uses: github/codeql-action/init@0d579ffd059c29b07949a3cce3983f0780820c98 # v3.28.1 + with: + languages: ${{ matrix.language }} + build-mode: none - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v4 - with: - category: "/language:${{matrix.language}}" + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@0d579ffd059c29b07949a3cce3983f0780820c98 # v3.28.1 + with: + category: "/language:${{ matrix.language }}"