Create codeql.yml#965
Conversation
There was a problem hiding this comment.
Pull request overview
Adds GitHub Advanced Security automation to the repo by introducing CodeQL scanning and a dependency review step in CI.
Changes:
- Added a Dependency Review job to the main CI workflow.
- Added a new CodeQL Advanced workflow to scan Actions, C#, and JS/TS on PRs/pushes and on a schedule.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
.github/workflows/main.yml |
Adds a new job that runs the GitHub dependency review action on PRs. |
.github/workflows/codeql.yml |
Introduces a CodeQL Advanced workflow for multi-language static analysis. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Rename job from 'dependabot' to 'dependency-review' for clarity - Move if condition from step level to job level to avoid spinning up a runner unnecessarily on push events - Add missing checkout step required by dependency-review-action Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Add minimal contents: read permission for least-privilege principle, avoiding reliance on repo-default GITHUB_TOKEN permissions. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Review Comment Responses✅ Comment: Missing permissions block (main.yml:26)Applied. Added a minimal permissions block with contents: read to the dependency-review job for least-privilege. \pull-requests: read\ isn't needed for the current configuration. ❌ Comment: Checkout version inconsistency (main.yml:23)Not applying. \�ctions/checkout@v6\ is the version used consistently throughout \main.yml. The inconsistency originates from the auto-generated \codeql.yml\ using @v4. If we align versions, the fix should be updating \codeql.yml\ to @v6, not downgrading \main.yml. ❌ Comment: matrix.include indentation (codeql.yml:51)Not applying — false positive. The current YAML is valid. YAML allows list items at the same indentation level as the mapping key. Verified with a YAML parser — the file loads correctly and \strategy.matrix.include\ resolves as expected. ❌ Comment: steps indentation (codeql.yml:63)Not applying — false positive. Same reasoning as above. \steps:\ followed by - name:\ at the same indentation level is valid YAML syntax. Verified with a parser. |
Align with main.yml which already uses v6 consistently. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
|
No description provided.