Skip to content

Add path-filtered CodeQL workflow for content-specific analysis #1444

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
Copilot wants to merge 3 commits into
base: main
Choose a base branch
from
+95 −0
Draft

Add path-filtered CodeQL workflow for content-specific analysis #1444

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
12a3a4d
Initial plan
Copilot May 26, 2026
d95f222
Add path-filtered CodeQL workflow for content-specific analysis
Copilot May 26, 2026
05b07b2
Add clarifying comment for if: always() in CodeQL workflow
Copilot May 26, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Empty file modified .githooks/pre-commit
100644 → 100755
View file
Open in desktop
Empty file.
95 changes: 95 additions & 0 deletions .github/workflows/codeql.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,95 @@
name: "CodeQL"

on:
push:
branches: [main]
pull_request:
branches: [main]
schedule:
- cron: "0 6 * * 1" # Weekly on Monday at 06:00 UTC

permissions:
contents: read
security-events: write

jobs:
changes:
name: Detect changed paths
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: read
outputs:
java: ${{ steps.filter.outputs.java }}
js: ${{ steps.filter.outputs.js }}
python: ${{ steps.filter.outputs.python }}
go: ${{ steps.filter.outputs.go }}
csharp: ${{ steps.filter.outputs.csharp }}
actions: ${{ steps.filter.outputs.actions }}
steps:
- uses: actions/checkout@v4
- uses: dorny/paths-filter@v3
id: filter
with:
filters: |
java:
- 'java/**'
js:
- 'nodejs/**'
- 'scripts/**'
python:
- 'python/**'
go:
- 'go/**'
csharp:
- 'dotnet/**'
actions:
- '.github/workflows/**'
- '.github/actions/**'

analyze:
name: Analyze (${{ matrix.language }})
needs: changes
# Run even if 'changes' is skipped (e.g. on push/schedule where paths-filter
# may not flag changes). Each step has its own gate condition.
if: always()
runs-on: ubuntu-latest
permissions:
security-events: write
contents: read
strategy:
fail-fast: false
matrix:
include:
- language: java-kotlin
gate: java
- language: javascript-typescript
gate: js
- language: python
gate: python
- language: go
gate: go
- language: csharp
gate: csharp
- language: actions
gate: actions
steps:
- name: Checkout repository
if: ${{ needs.changes.outputs[matrix.gate] == 'true' || github.event_name == 'schedule' || github.event_name == 'push' }}
uses: actions/checkout@v4

- name: Initialize CodeQL
if: ${{ needs.changes.outputs[matrix.gate] == 'true' || github.event_name == 'schedule' || github.event_name == 'push' }}
uses: github/codeql-action/init@v3
with:
languages: ${{ matrix.language }}

- name: Autobuild
if: ${{ needs.changes.outputs[matrix.gate] == 'true' || github.event_name == 'schedule' || github.event_name == 'push' }}
uses: github/codeql-action/autobuild@v3

- name: Perform CodeQL Analysis
if: ${{ needs.changes.outputs[matrix.gate] == 'true' || github.event_name == 'schedule' || github.event_name == 'push' }}
uses: github/codeql-action/analyze@v3
with:
category: "/language:${{ matrix.language }}"