Conversation
Updated workflow name to 'CodeQL' and removed comments.
There was a problem hiding this comment.
Pull request overview
Adds/updates the repository’s GitHub Actions CodeQL workflow configuration to run CodeQL analysis on pushes/PRs to master and on a weekly schedule.
Changes:
- Introduces a
CodeQLworkflow with a language matrix (actions, python) and CodeQL init/analyze steps. - Configures workflow triggers for
push,pull_request, and a scheduled cron run.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| build-mode: none | ||
| # CodeQL supports the following values keywords for 'language': 'actions', 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'rust', 'swift' | ||
| # Use `c-cpp` to analyze code written in C, C++ or both | ||
| # Use 'java-kotlin' to analyze code written in Java, Kotlin or both | ||
| # Use 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both | ||
| # To learn more about changing the languages that are analyzed or customizing the build mode for your analysis, |
There was a problem hiding this comment.
strategy.matrix.include is a YAML sequence but the list items are not indented under include:. As written, the workflow YAML will not parse; indent the - language: ... entries so they are children of include: (and keep build-mode aligned under each item).
| # This includes steps like installing compilers or runtimes (`actions/setup-node` | ||
| # or others). This is typically only required for manual builds. | ||
| # - name: Setup runtime (example) | ||
| # uses: actions/setup-example@v1 |
There was a problem hiding this comment.
The steps: key is followed by - name: ... entries at the same indentation level as steps:. In GitHub Actions YAML, step items must be indented beneath steps:; otherwise the workflow file is invalid and the job will fail to load.
| name: Analyze (${{ matrix.language }}) | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| # required for all workflows | ||
| security-events: write | ||
|
|
There was a problem hiding this comment.
This PR description says comments were removed, but this workflow still contains extensive commented guidance (e.g., runner sizing, setup steps, query packs). Either update the description to match, or remove the remaining comments if that is the intent.
| # or others). This is typically only required for manual builds. | ||
| # - name: Setup runtime (example) |
There was a problem hiding this comment.
Other workflows in this repo use actions/checkout@v5 (e.g., .github/workflows/ci.yml, publish.yml, swagger.yml), but this workflow pins actions/checkout@v4. Consider aligning versions across workflows to reduce maintenance and keep consistent action behavior.
Updated workflow name to 'CodeQL' and removed comments.