Skip to content

Enable codeql scanning #1532

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
bioball merged 3 commits into from
Apr 20, 2026
+140 −0
Merged

Enable codeql scanning #1532

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
85f778b
Enable codeql scanning
bioball Apr 17, 2026
aace1f2
Add JS scan
bioball Apr 18, 2026
f1c8bf1
Run on pull requests too
bioball Apr 18, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
67 changes: 67 additions & 0 deletions .github/codeql.pkl
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,67 @@
amends "@gha/Workflow.pkl"

import "@gha/catalog.pkl"

on {
push {
branches {
"main"
}
}
pull_request {}
schedule {
Copy link
Copy Markdown
Contributor

@HT154 HT154 Apr 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a reason not to run this on push or PR? Having this able to block PRs would be very handy. I'd be interested in adding at least one custom query to block a problem pattern in CliCommand.

Copy link
Copy Markdown
Member Author

@bioball bioball Apr 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was concerned about how long these things take to run. But, we can play around with it and see what happens!

Copy link
Copy Markdown
Contributor

@HT154 HT154 Apr 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Analysis for java-kotlin finished within a minute of the gradle-check job, so I think this would probably be okay to enable on PRs. A <1m delay in exchange for better security enforcement on PRs seems okay to me.

Copy link
Copy Markdown
Member Author

@bioball bioball Apr 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added PRs

// Run at 01:38 on Saturday
new { cron = "38 1 * * 6" }
}
}

local class CodeQLScan {
language: String

`build-mode`: String
}

local scans: Listing<CodeQLScan> = new {
new {
language = "actions"
`build-mode` = "none"
}
new {
language = "java-kotlin"
`build-mode` = "autobuild"
}
new {
language = "javascript-typescript"
`build-mode` = "none"
}
}

jobs {
for (scan in scans) {
["analyze-\(scan.language)"] {
Copy link
Copy Markdown
Contributor

@StefMa StefMa Apr 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Isn't it better/easier to go with a matrix build instead of multiple jobs? 🤔 🤷‍♂️
It's the same outout, so it actually doesn't matter. Just my initial thought about it 😂

Copy link
Copy Markdown
Member Author

@bioball bioball Apr 17, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Matrices feel like a poor man's for loop that we can express much more easily with Pkl. And, you get actual Pkl dot access this way, rather than a stringy typed value ("${{ matrix.language }}" vs. scan.language). I think this ends up as basically the same thing? Each turns into its own job execution regardless.

name = "Analyze (\(scan.language))"
`runs-on` = "ubuntu-latest"
permissions {
`security-events` = "write"
}
steps {
catalog.`actions/checkout@v6`
new {
name = "Initialize CodeQL"
uses = "github/codeql-action/init@v4"
with {
["languages"] = scan.language
["build-mode"] = scan.`build-mode`
}
}
new {
name = "Perform CodeQL Analysis"
uses = "github/codeql-action/analyze@v4"
with {
["category"] = "/language:\(scan.language)"
}
}
}
}
}
}
6 changes: 6 additions & 0 deletions .github/index.pkl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ import "jobs/GithubRelease.pkl"
import "jobs/GradleJob.pkl"
import "jobs/PklJob.pkl"
import "jobs/SimpleGradleJob.pkl"
import "codeql.pkl"

triggerDocsBuild = "both"

Expand Down Expand Up @@ -239,3 +240,8 @@ dependabot {
}
}
}

workflows {
// add codeql workflow to set of workflows
["workflows/codeql.yml"] = codeql
}
4 changes: 4 additions & 0 deletions .github/workflows/__lockfile__.yml
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

63 changes: 63 additions & 0 deletions .github/workflows/codeql.yml
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading