Skip to content

Add CodeQL analysis workflow configuration #83

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
Mtze wants to merge 3 commits into from
Closed

Add CodeQL analysis workflow configuration #83

Changes from 2 commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
e00677a
Add CodeQL analysis workflow configuration
Mtze Mar 6, 2026
ffc8d8b
fix(ci): adapt CodeQL workflow to repository setup
Mtze Mar 6, 2026
2c140ee
chore(ci): remove redundant CodeQL advanced workflow
Mtze Mar 6, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
44 changes: 44 additions & 0 deletions .github/workflows/codeql.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
name: "CodeQL Advanced"

on:
workflow_dispatch:
push:
branches: [ "main" ]
pull_request:
branches: [ "main" ]
schedule:
- cron: '43 6 * * 0'

jobs:
analyze:
name: Analyze (${{ matrix.language }})
runs-on: ubuntu-latest
permissions:
security-events: write
actions: read
contents: read

strategy:
fail-fast: false
matrix:
include:
- language: javascript-typescript
build-mode: none
Copy link

Copilot AI Mar 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

YAML indentation under strategy.matrix.include is invalid: list items must be indented beneath include:. As written, - language: ... is at the same level as include:, which will break parsing and prevent the matrix from being created (making matrix.language/matrix.build-mode undefined).

Suggested change
- language: javascript-typescript
build-mode: none
- language: javascript-typescript
build-mode: none

Copilot uses AI. Check for mistakes.
# java-kotlin and actions are covered by the GitHub default CodeQL setup
# (Settings > Security > Code scanning). Running them here as well would
# conflict: "CodeQL analyses from advanced configurations cannot be
# processed when the default setup is enabled".
steps:
- name: Checkout repository
uses: actions/checkout@v4
Copy link
Copy Markdown

@coderabbitai coderabbitai bot Mar 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

cat -n .github/workflows/codeql.yml

Repository: EduIDE/EduIDE-Cloud

Length of output: 5666

🏁 Script executed:

#!/bin/bash
# Resolve the exact commits currently behind the tags used here.
git ls-remote https://github.com/actions/checkout refs/tags/v4
git ls-remote https://github.com/github/codeql-action refs/tags/v4

Repository: EduIDE/EduIDE-Cloud

Length of output: 170

🏁 Script executed:

# Also check if there are other floating tags in the workflow
rg "@v[0-9]+" .github/workflows/codeql.yml -o

Repository: EduIDE/EduIDE-Cloud

Length of output: 78

Pin the GitHub Actions to immutable commit SHAs.

Using floating @v4 tags in a security workflow means upstream tag movement can change what runs without a PR in this repo. Replace with commit SHAs:

  • Line 62: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
  • Line 72: github/codeql-action/init@dd677812177e0c29f9c970a6c58d8607ae1bfefd
  • Line 101: github/codeql-action/analyze@dd677812177e0c29f9c970a6c58d8607ae1bfefd
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/codeql.yml around lines 61 - 62, Replace floating action
tags with the provided immutable commit SHAs: change uses: actions/checkout@v4
to uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5, change
github/codeql-action/init@... to
github/codeql-action/init@dd677812177e0c29f9c970a6c58d8607ae1bfefd, and change
github/codeql-action/analyze@... to
github/codeql-action/analyze@dd677812177e0c29f9c970a6c58d8607ae1bfefd so the
workflow references immutable commit SHAs instead of floating tags (locate the
uses entries for actions/checkout and github/codeql-action/init/analyze in the
codeql.yml to apply the changes).


- name: Initialize CodeQL
uses: github/codeql-action/init@v4
with:
languages: ${{ matrix.language }}
build-mode: ${{ matrix.build-mode }}

- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v4
with:
category: "/language:${{matrix.language}}"
Copy link

Copilot AI Mar 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

steps: and the step entries are not indented under the analyze job. They need to be nested beneath jobs.analyze (e.g., steps: aligned with strategy: and each - name: indented under steps:), otherwise the workflow YAML will be invalid.

Suggested change
- name: Checkout repository
uses: actions/checkout@v4
- name: Initialize CodeQL
uses: github/codeql-action/init@v4
with:
languages: ${{ matrix.language }}
build-mode: ${{ matrix.build-mode }}
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v4
with:
category: "/language:${{matrix.language}}"
- name: Checkout repository
uses: actions/checkout@v4
- name: Initialize CodeQL
uses: github/codeql-action/init@v4
with:
languages: ${{ matrix.language }}
build-mode: ${{ matrix.build-mode }}
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v4
with:
category: "/language:${{matrix.language}}"

Copilot uses AI. Check for mistakes.
Loading