Skip to content

Remove semgrep workflow #1663

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
aleister1102 wants to merge 8 commits into from
Closed

Remove semgrep workflow #1663

Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
e7be4cd
Update CodeQL workflow for JavaScript analysis
aleister1102 Dec 12, 2025
fc439e3
Fix formatting issues in codeql.yml
aleister1102 Dec 12, 2025
a53b09b
Change CodeQL build mode from manual to none
aleister1102 Dec 12, 2025
67c77a4
Refactor Semgrep workflow for improved efficiency
aleister1102 Dec 12, 2025
7a686f8
Delete .github/workflows/semgrep.yml
aleister1102 Dec 12, 2025
2cdcf70
Enhance Semgrep workflow with Node.js setup
aleister1102 Dec 12, 2025
e86c6a6
ci(workflow): add Python setup, install Semgrep via pip, generate SARIF
aleister1102 Dec 12, 2025
60503a6
chore: remove semgrep workflow
aleister1102 Dec 12, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
80 changes: 80 additions & 0 deletions .github/workflows/codeql.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,80 @@
name: "CodeQL - JavaScript (Advanced)"

on:
push:
branches: [ "main" ]
pull_request:
branches: [ "main" ]
schedule:
- cron: '0 2 * * 3' # weekly on Wed 02:00 UTC
workflow_dispatch:

jobs:
analyze:
name: Analyze (CodeQL, Node ${{ matrix.node }})
runs-on: ubuntu-latest
permissions:
security-events: write
contents: read
packages: read
actions: read

strategy:
fail-fast: false
matrix:
include:
- language: javascript-typescript
node: 18
build-mode: none
- language: javascript-typescript
node: 20
build-mode: none
Comment on lines +22 to +31
Copy link

Copilot AI Dec 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The matrix strategy runs CodeQL analysis twice (once for Node 18 and once for Node 20), but since build-mode is 'none', the Node version doesn't affect the analysis results. CodeQL analyzes the source code statically without executing it. Running duplicate analyses wastes CI resources and time. Consider removing the matrix and running a single analysis job, or if you need to test against multiple Node versions, use the existing Node.js CI workflow instead.

Copilot uses AI. Check for mistakes.

steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
fetch-depth: 0

- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: ${{ matrix.node }}
cache: 'npm'

- name: Cache node modules
uses: actions/cache@v4
with:
path: |
~/.npm
node_modules
key: ${{ runner.os }}-node-${{ matrix.node }}-${{ hashFiles('**/package-lock.json', '**/yarn.lock') }}
restore-keys: |
${{ runner.os }}-node-${{ matrix.node }}-

Comment on lines +45 to +54
Copy link

Copilot AI Dec 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This cache step is redundant because the setup-node action (line 40-43) already handles caching with the 'cache: npm' parameter. Having both can lead to cache conflicts and unnecessary overhead. Consider removing this manual cache step and relying on the built-in caching from setup-node.

Suggested change
- name: Cache node modules
uses: actions/cache@v4
with:
path: |
~/.npm
node_modules
key: ${{ runner.os }}-node-${{ matrix.node }}-${{ hashFiles('**/package-lock.json', '**/yarn.lock') }}
restore-keys: |
${{ runner.os }}-node-${{ matrix.node }}-

Copilot uses AI. Check for mistakes.
- name: Install dependencies
run: |
if [ -f package-lock.json ]; then
npm ci
else
npm install
fi

Comment on lines +55 to +62
Copy link

Copilot AI Dec 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Installing dependencies is unnecessary when using build-mode 'none' for JavaScript/TypeScript analysis. CodeQL can analyze the source code directly without installed dependencies. This step adds unnecessary time to the workflow execution. Consider removing this step or only including it if you change to a build mode that requires it.

Suggested change
- name: Install dependencies
run: |
if [ -f package-lock.json ]; then
npm ci
else
npm install
fi

Copilot uses AI. Check for mistakes.
Comment on lines +39 to +62
Copy link

Copilot AI Dec 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Setting up Node.js is unnecessary for CodeQL analysis with build-mode 'none'. CodeQL for JavaScript/TypeScript performs static analysis on the source code and doesn't require a Node.js runtime or dependencies. This step (along with the cache and install steps) can be removed to speed up the workflow.

Suggested change
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: ${{ matrix.node }}
cache: 'npm'
- name: Cache node modules
uses: actions/cache@v4
with:
path: |
~/.npm
node_modules
key: ${{ runner.os }}-node-${{ matrix.node }}-${{ hashFiles('**/package-lock.json', '**/yarn.lock') }}
restore-keys: |
${{ runner.os }}-node-${{ matrix.node }}-
- name: Install dependencies
run: |
if [ -f package-lock.json ]; then
npm ci
else
npm install
fi

Copilot uses AI. Check for mistakes.
- name: Initialize CodeQL
uses: github/codeql-action/init@v4
with:
languages: ${{ matrix.language }}
build-mode: ${{ matrix.build-mode }}
# Use built-in query packs plus extended security rules
queries: security-extended,security-and-quality

- name: Autobuild (CodeQL)
uses: github/codeql-action/autobuild@v4
env:
CI: true

Comment on lines +71 to +75
Copy link

Copilot AI Dec 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The matrix specifies 'build-mode: none' but the workflow includes an Autobuild step. When build-mode is 'none', CodeQL analyzes the code without building it, making the Autobuild step unnecessary. Either remove the Autobuild step (recommended for JavaScript/TypeScript projects which typically don't need building for CodeQL analysis) or change build-mode to 'autobuild' if building is required.

Suggested change
- name: Autobuild (CodeQL)
uses: github/codeql-action/autobuild@v4
env:
CI: true

Copilot uses AI. Check for mistakes.
- name: Perform CodeQL analysis
uses: github/codeql-action/analyze@v4
with:
# Optional: narrow category to help triage results in the dashboard
category: "language:javascript-typescript"