Skip to content

fix(ci): CodeQL language-aware detection #42

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
hyperpolymath merged 14 commits into from
May 16, 2026
Merged

fix(ci): CodeQL language-aware detection #42

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
14 commits
Select commit Hold shift + click to select a range
e9e61fa
fix(ci): CodeQL language-aware detect (no more false-red on non-JS/TS…
hyperpolymath May 16, 2026
cdf9132
fix(ci): CodeQL language-aware detect (no more false-red on non-JS/TS…
hyperpolymath May 16, 2026
49e21d5
fix(ci): CodeQL language-aware detect (no more false-red on non-JS/TS…
hyperpolymath May 16, 2026
2413e0b
fix(ci): CodeQL language-aware detect (no more false-red on non-JS/TS…
hyperpolymath May 16, 2026
e90c065
fix(ci): CodeQL language-aware detect (no more false-red on non-JS/TS…
hyperpolymath May 16, 2026
657f11d
fix(ci): CodeQL language-aware detect (no more false-red on non-JS/TS…
hyperpolymath May 16, 2026
4c063e7
fix(ci): CodeQL language-aware detect (no more false-red on non-JS/TS…
hyperpolymath May 16, 2026
de83f28
fix(ci): CodeQL language-aware detect (no more false-red on non-JS/TS…
hyperpolymath May 16, 2026
6f2c0d6
fix(ci): CodeQL language-aware detect (no more false-red on non-JS/TS…
hyperpolymath May 16, 2026
97ee21d
fix(ci): CodeQL language-aware detect (no more false-red on non-JS/TS…
hyperpolymath May 16, 2026
0e9f4ee
fix(ci): CodeQL language-aware detect (no more false-red on non-JS/TS…
hyperpolymath May 16, 2026
89a12db
fix(ci): CodeQL language-aware detect (no more false-red on non-JS/TS…
hyperpolymath May 16, 2026
ed8a052
fix(ci): CodeQL language-aware detect (no more false-red on non-JS/TS…
hyperpolymath May 16, 2026
40a1205
fix(ci): CodeQL language-aware detect (no more false-red on non-JS/TS…
hyperpolymath May 16, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
52 changes: 44 additions & 8 deletions .github/workflows/codeql.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,33 +8,69 @@ on:
branches: [main, master]
schedule:
- cron: '0 6 * * 1'
# Estate guardrail: cancel superseded runs so re-pushes don't pile up
# queued runs across the estate. Safe here because this workflow only
# performs read-only checks/lint/test/scan with no publish or mutation.
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

permissions: read-all
permissions:
contents: read

jobs:
# The estate is heterogeneous (Rust, Idris2, Agda, Elixir, ReScript,
# occasional JS/TS/Python). A hard-coded `javascript-typescript` matrix
# made CodeQL exit with a "no source / configuration error" on every
# non-JS/TS repo — a permanent false-red `analyze` on most repos' main.
# Detect the languages the repo ACTUALLY contains and only analyse the
# CodeQL-supported, buildless-safe ones; skip entirely when none apply.
detect:
runs-on: ubuntu-latest
outputs:
langs: ${{ steps.pick.outputs.langs }}
steps:
- name: Pick CodeQL languages from repo language stats
id: pick
env:
GH_TOKEN: ${{ github.token }}
run: |
stats=$(gh api "repos/${{ github.repository }}/languages" --jq 'keys[]' 2>/dev/null || echo "")
out=""
add() { out="$out $1"; }
echo "$stats" | grep -qix 'Rust' && add rust
echo "$stats" | grep -qixE 'JavaScript|TypeScript' && add javascript-typescript
echo "$stats" | grep -qix 'Python' && add python
echo "$stats" | grep -qix 'Ruby' && add ruby
echo "$stats" | grep -qix 'Go' && add go
arr=$(printf '%s\n' $out | grep . | sort -u | jq -R . | jq -s -c .)
[ -z "$arr" ] && arr='[]'
echo "Detected CodeQL languages: $arr"
echo "langs=$arr" >> "$GITHUB_OUTPUT"

analyze:
needs: detect
if: needs.detect.outputs.langs != '[]'
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
strategy:
fail-fast: false
matrix:
include:
- language: javascript-typescript
build-mode: none
language: ${{ fromJSON(needs.detect.outputs.langs) }}

steps:
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

- name: Initialize CodeQL
uses: github/codeql-action/init@662472033e021d55d94146f66f6058822b0b39fd # v3.28.1
uses: github/codeql-action/init@0d579ffd059c29b07949a3cce3983f0780820c98 # v3.28.1
with:
languages: ${{ matrix.language }}
build-mode: ${{ matrix.build-mode }}
build-mode: none

- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@662472033e021d55d94146f66f6058822b0b39fd # v3.28.1
uses: github/codeql-action/analyze@0d579ffd059c29b07949a3cce3983f0780820c98 # v3.28.1
with:
category: "/language:${{ matrix.language }}"
54 changes: 45 additions & 9 deletions bitfuckit/.github/workflows/codeql.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# SPDX-License-Identifier: MPL-2.0-or-later
# SPDX-License-Identifier: PMPL-1.0-or-later
name: CodeQL Security Analysis

on:
Expand All @@ -8,33 +8,69 @@ on:
branches: [main, master]
schedule:
- cron: '0 6 * * 1'
# Estate guardrail: cancel superseded runs so re-pushes don't pile up
# queued runs across the estate. Safe here because this workflow only
# performs read-only checks/lint/test/scan with no publish or mutation.
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

permissions: read-all
permissions:
contents: read

jobs:
# The estate is heterogeneous (Rust, Idris2, Agda, Elixir, ReScript,
# occasional JS/TS/Python). A hard-coded `javascript-typescript` matrix
# made CodeQL exit with a "no source / configuration error" on every
# non-JS/TS repo — a permanent false-red `analyze` on most repos' main.
# Detect the languages the repo ACTUALLY contains and only analyse the
# CodeQL-supported, buildless-safe ones; skip entirely when none apply.
detect:
runs-on: ubuntu-latest
outputs:
langs: ${{ steps.pick.outputs.langs }}
steps:
- name: Pick CodeQL languages from repo language stats
id: pick
env:
GH_TOKEN: ${{ github.token }}
run: |
stats=$(gh api "repos/${{ github.repository }}/languages" --jq 'keys[]' 2>/dev/null || echo "")
out=""
add() { out="$out $1"; }
echo "$stats" | grep -qix 'Rust' && add rust
echo "$stats" | grep -qixE 'JavaScript|TypeScript' && add javascript-typescript
echo "$stats" | grep -qix 'Python' && add python
echo "$stats" | grep -qix 'Ruby' && add ruby
echo "$stats" | grep -qix 'Go' && add go
arr=$(printf '%s\n' $out | grep . | sort -u | jq -R . | jq -s -c .)
[ -z "$arr" ] && arr='[]'
echo "Detected CodeQL languages: $arr"
echo "langs=$arr" >> "$GITHUB_OUTPUT"

analyze:
needs: detect
if: needs.detect.outputs.langs != '[]'
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
strategy:
fail-fast: false
matrix:
include:
- language: javascript-typescript
build-mode: none
language: ${{ fromJSON(needs.detect.outputs.langs) }}

steps:
- name: Checkout
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

- name: Initialize CodeQL
uses: github/codeql-action/init@662472033e021d55d94146f66f6058822b0b39fd # v3.28.1
uses: github/codeql-action/init@0d579ffd059c29b07949a3cce3983f0780820c98 # v3.28.1
with:
languages: ${{ matrix.language }}
build-mode: ${{ matrix.build-mode }}
build-mode: none

- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@662472033e021d55d94146f66f6058822b0b39fd # v3.28.1
uses: github/codeql-action/analyze@0d579ffd059c29b07949a3cce3983f0780820c98 # v3.28.1
with:
category: "/language:${{ matrix.language }}"
54 changes: 45 additions & 9 deletions contractiles/.github/workflows/codeql.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# SPDX-License-Identifier: PMPL-1.0
# SPDX-License-Identifier: PMPL-1.0-or-later
name: CodeQL Security Analysis

on:
Expand All @@ -8,33 +8,69 @@ on:
branches: [main, master]
schedule:
- cron: '0 6 * * 1'
# Estate guardrail: cancel superseded runs so re-pushes don't pile up
# queued runs across the estate. Safe here because this workflow only
# performs read-only checks/lint/test/scan with no publish or mutation.
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

permissions: read-all
permissions:
contents: read

jobs:
# The estate is heterogeneous (Rust, Idris2, Agda, Elixir, ReScript,
# occasional JS/TS/Python). A hard-coded `javascript-typescript` matrix
# made CodeQL exit with a "no source / configuration error" on every
# non-JS/TS repo — a permanent false-red `analyze` on most repos' main.
# Detect the languages the repo ACTUALLY contains and only analyse the
# CodeQL-supported, buildless-safe ones; skip entirely when none apply.
detect:
runs-on: ubuntu-latest
outputs:
langs: ${{ steps.pick.outputs.langs }}
steps:
- name: Pick CodeQL languages from repo language stats
id: pick
env:
GH_TOKEN: ${{ github.token }}
run: |
stats=$(gh api "repos/${{ github.repository }}/languages" --jq 'keys[]' 2>/dev/null || echo "")
out=""
add() { out="$out $1"; }
echo "$stats" | grep -qix 'Rust' && add rust
echo "$stats" | grep -qixE 'JavaScript|TypeScript' && add javascript-typescript
echo "$stats" | grep -qix 'Python' && add python
echo "$stats" | grep -qix 'Ruby' && add ruby
echo "$stats" | grep -qix 'Go' && add go
arr=$(printf '%s\n' $out | grep . | sort -u | jq -R . | jq -s -c .)
[ -z "$arr" ] && arr='[]'
echo "Detected CodeQL languages: $arr"
echo "langs=$arr" >> "$GITHUB_OUTPUT"

analyze:
needs: detect
if: needs.detect.outputs.langs != '[]'
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
strategy:
fail-fast: false
matrix:
include:
- language: javascript-typescript
build-mode: none
language: ${{ fromJSON(needs.detect.outputs.langs) }}

steps:
- name: Checkout
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

- name: Initialize CodeQL
uses: github/codeql-action/init@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v3.28.1
uses: github/codeql-action/init@0d579ffd059c29b07949a3cce3983f0780820c98 # v3.28.1
with:
languages: ${{ matrix.language }}
build-mode: ${{ matrix.build-mode }}
build-mode: none

- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v3.28.1
uses: github/codeql-action/analyze@0d579ffd059c29b07949a3cce3983f0780820c98 # v3.28.1
with:
category: "/language:${{ matrix.language }}"
52 changes: 44 additions & 8 deletions contractiles/runners/must/.github/workflows/codeql.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,33 +8,69 @@ on:
branches: [main, master]
schedule:
- cron: '0 6 * * 1'
# Estate guardrail: cancel superseded runs so re-pushes don't pile up
# queued runs across the estate. Safe here because this workflow only
# performs read-only checks/lint/test/scan with no publish or mutation.
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

permissions: read-all
permissions:
contents: read

jobs:
# The estate is heterogeneous (Rust, Idris2, Agda, Elixir, ReScript,
# occasional JS/TS/Python). A hard-coded `javascript-typescript` matrix
# made CodeQL exit with a "no source / configuration error" on every
# non-JS/TS repo — a permanent false-red `analyze` on most repos' main.
# Detect the languages the repo ACTUALLY contains and only analyse the
# CodeQL-supported, buildless-safe ones; skip entirely when none apply.
detect:
runs-on: ubuntu-latest
outputs:
langs: ${{ steps.pick.outputs.langs }}
steps:
- name: Pick CodeQL languages from repo language stats
id: pick
env:
GH_TOKEN: ${{ github.token }}
run: |
stats=$(gh api "repos/${{ github.repository }}/languages" --jq 'keys[]' 2>/dev/null || echo "")
out=""
add() { out="$out $1"; }
echo "$stats" | grep -qix 'Rust' && add rust
echo "$stats" | grep -qixE 'JavaScript|TypeScript' && add javascript-typescript
echo "$stats" | grep -qix 'Python' && add python
echo "$stats" | grep -qix 'Ruby' && add ruby
echo "$stats" | grep -qix 'Go' && add go
arr=$(printf '%s\n' $out | grep . | sort -u | jq -R . | jq -s -c .)
[ -z "$arr" ] && arr='[]'
echo "Detected CodeQL languages: $arr"
echo "langs=$arr" >> "$GITHUB_OUTPUT"

analyze:
needs: detect
if: needs.detect.outputs.langs != '[]'
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
strategy:
fail-fast: false
matrix:
include:
- language: javascript-typescript
build-mode: none
language: ${{ fromJSON(needs.detect.outputs.langs) }}

steps:
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

- name: Initialize CodeQL
uses: github/codeql-action/init@662472033e021d55d94146f66f6058822b0b39fd # v3.28.1
uses: github/codeql-action/init@0d579ffd059c29b07949a3cce3983f0780820c98 # v3.28.1
with:
languages: ${{ matrix.language }}
build-mode: ${{ matrix.build-mode }}
build-mode: none

- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@662472033e021d55d94146f66f6058822b0b39fd # v3.28.1
uses: github/codeql-action/analyze@0d579ffd059c29b07949a3cce3983f0780820c98 # v3.28.1
with:
category: "/language:${{ matrix.language }}"
Loading
Loading