Skip to content

Add CodeQL workflow#122

Merged
williammartin merged 3 commits into
mainfrom
wm-codeql
May 20, 2026
Merged

Add CodeQL workflow#122
williammartin merged 3 commits into
mainfrom
wm-codeql

Conversation

@williammartin
Copy link
Copy Markdown
Member

@williammartin williammartin commented May 20, 2026
edited
Loading

Adds a CodeQL code scanning workflow covering Go source and GitHub Actions.

  • Matrix scans go and actions.
  • Uses security-and-quality queries.
  • Runs on push/PR to main (docs-only PR changes skipped) and weekly on Sunday.

Co-authored-by: Copilot 223556219+Copilot@users.noreply.github.com

Add CodeQL workflow
2c0bc64 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@williammartin williammartin marked this pull request as ready for review May 20, 2026 14:47
@williammartin williammartin requested a review from a team as a code owner May 20, 2026 14:47
@williammartin williammartin requested review from BagToad and Copilot May 20, 2026 14:47
Copilot AI reviewed May 20, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds a GitHub CodeQL code-scanning workflow intended to analyze both Go source and GitHub Actions workflows on pushes/PRs to main, plus a weekly scheduled run.

Changes:

  • Introduces a CodeQL workflow with a matrix for go and actions.
  • Configures CodeQL to run security-and-quality queries and upload SARIF results.
  • Skips running on docs-only pull request changes (**/*.md).
Show a summary per file
File Description
.github/workflows/codeql.yml Adds a CodeQL scanning workflow for Go and GitHub Actions with scheduled and PR/push triggers.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 1/1 changed files
  • Comments generated: 2

Comment thread .github/workflows/codeql.yml
Comment thread .github/workflows/codeql.yml
Address CodeQL workflow review feedback
172e7d8 
- Add persist-credentials: false to checkout for consistency with ci.yml/lint.yml
- Add explicit 'go build ./...' step between init and analyze so the Go CodeQL database is populated reliably without relying on autobuild

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@williammartin williammartin requested a review from babakks May 20, 2026 15:13
@williammartin
Drop redundant Go build step
1bb2336 
Per CodeQL docs (https://docs.github.com/en/code-security/reference/code-scanning/codeql/codeql-build-options-and-steps-for-compiled-languages#building-go), Go is the exception among compiled languages: the default autobuild already extracts all Go code, similar to running 'go build ./...'. The explicit step was redundant and, without build-mode: manual, would have caused Go to be built twice.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@williammartin williammartin merged commit 4d484e2 into main May 20, 2026
21 checks passed
@williammartin williammartin deleted the wm-codeql branch May 20, 2026 15:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@babakks babakks babakks approved these changes

@BagToad BagToad Awaiting requested review from BagToad BagToad is a code owner automatically assigned from cli/code-reviewers

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@williammartin @babakks