From 6a689c472dc5cdd8c73760981cf8db6a8dbb367a Mon Sep 17 00:00:00 2001 From: feywind <57276408+feywind@users.noreply.github.com> Date: Mon, 4 May 2026 15:22:40 -0400 Subject: [PATCH 1/2] build: split codeql runners into sections to try to reduce runtime headaches --- .github/codeql/codeql-autogenerated.yml | 2 + .github/codeql/codeql-handwritten.yml | 3 + .github/codeql/codeql-repo.yml | 2 + .github/workflows/codeql-autogenerated.yml | 66 +++++++++++++++++++ .github/workflows/codeql-handwritten.yml | 66 +++++++++++++++++++ .../workflows/{codeql.yml => codeql-repo.yml} | 20 +++--- 6 files changed, 148 insertions(+), 11 deletions(-) create mode 100644 .github/codeql/codeql-autogenerated.yml create mode 100644 .github/codeql/codeql-handwritten.yml create mode 100644 .github/codeql/codeql-repo.yml create mode 100644 .github/workflows/codeql-autogenerated.yml create mode 100644 .github/workflows/codeql-handwritten.yml rename .github/workflows/{codeql.yml => codeql-repo.yml} (78%) diff --git a/.github/codeql/codeql-autogenerated.yml b/.github/codeql/codeql-autogenerated.yml new file mode 100644 index 000000000000..7af35f3313dc --- /dev/null +++ b/.github/codeql/codeql-autogenerated.yml @@ -0,0 +1,2 @@ +paths: + - 'packages' diff --git a/.github/codeql/codeql-handwritten.yml b/.github/codeql/codeql-handwritten.yml new file mode 100644 index 000000000000..71efc12d0485 --- /dev/null +++ b/.github/codeql/codeql-handwritten.yml @@ -0,0 +1,3 @@ +paths: + - 'core' + - 'handwritten' diff --git a/.github/codeql/codeql-repo.yml b/.github/codeql/codeql-repo.yml new file mode 100644 index 000000000000..6fac93db405f --- /dev/null +++ b/.github/codeql/codeql-repo.yml @@ -0,0 +1,2 @@ +paths: + - '.github' diff --git a/.github/workflows/codeql-autogenerated.yml b/.github/workflows/codeql-autogenerated.yml new file mode 100644 index 000000000000..d195a316a50f --- /dev/null +++ b/.github/workflows/codeql-autogenerated.yml @@ -0,0 +1,66 @@ +name: "CodeQL Advanced - autogenerated" + +# The CodeQL jobs are kept separately so that their run time doesn't +# exceed the max for an action job on GitHub. + +on: + schedule: + - cron: '0 2 * * *' + +jobs: + analyze: + name: Analyze (${{ matrix.language }}) + # Runner size impacts CodeQL analysis time. To learn more, please see: + # - https://gh.io/recommended-hardware-resources-for-running-codeql + # - https://gh.io/supported-runners-and-hardware-resources + # - https://gh.io/using-larger-runners (GitHub.com only) + # Consider using larger runners or machines with greater resources for possible analysis time improvements. + runs-on: ${{ 'ubuntu-latest' }} + permissions: + # required for all workflows + security-events: write + + # required to fetch internal or private CodeQL packs + packages: read + + # only required for workflows in private repositories + actions: read + contents: read + + strategy: + fail-fast: false + matrix: + include: + - language: actions + build-mode: none + - language: javascript-typescript + build-mode: none + - language: python + build-mode: none + # CodeQL supports the following values keywords for 'language': 'actions', 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'rust', 'swift' + # Use `c-cpp` to analyze code written in C, C++ or both + # Use 'java-kotlin' to analyze code written in Java, Kotlin or both + # Use 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both + # To learn more about changing the languages that are analyzed or customizing the build mode for your analysis, + # see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning. + # If you are analyzing a compiled language, you can modify the 'build-mode' for that language to customize how + # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + # Add any setup steps before running the `github/codeql-action/init` action. + # This includes steps like installing compilers or runtimes (`actions/setup-node` + # or others). This is typically only required for manual builds. + # - name: Setup runtime (example) + # uses: actions/setup-example@v1 + + # Initializes the CodeQL tools for scanning - autogen flavour. + - name: Initialize CodeQL for autogenerated + uses: github/codeql-action/init@v4 + with: + config-file: .github/codeql/codeql-autogenerated.yml + languages: ${{ matrix.language }} + build-mode: ${{ matrix.build-mode }} + - name: Perform CodeQL Analysis for autogenerated + uses: github/codeql-action/analyze@v4 diff --git a/.github/workflows/codeql-handwritten.yml b/.github/workflows/codeql-handwritten.yml new file mode 100644 index 000000000000..4673e7127acc --- /dev/null +++ b/.github/workflows/codeql-handwritten.yml @@ -0,0 +1,66 @@ +name: "CodeQL Advanced - handwritten" + +# The CodeQL jobs are kept separately so that their run time doesn't +# exceed the max for an action job on GitHub. + +on: + schedule: + - cron: '30 1 * * *' + +jobs: + analyze: + name: Analyze (${{ matrix.language }}) + # Runner size impacts CodeQL analysis time. To learn more, please see: + # - https://gh.io/recommended-hardware-resources-for-running-codeql + # - https://gh.io/supported-runners-and-hardware-resources + # - https://gh.io/using-larger-runners (GitHub.com only) + # Consider using larger runners or machines with greater resources for possible analysis time improvements. + runs-on: ${{ 'ubuntu-latest' }} + permissions: + # required for all workflows + security-events: write + + # required to fetch internal or private CodeQL packs + packages: read + + # only required for workflows in private repositories + actions: read + contents: read + + strategy: + fail-fast: false + matrix: + include: + - language: actions + build-mode: none + - language: javascript-typescript + build-mode: none + - language: python + build-mode: none + # CodeQL supports the following values keywords for 'language': 'actions', 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'rust', 'swift' + # Use `c-cpp` to analyze code written in C, C++ or both + # Use 'java-kotlin' to analyze code written in Java, Kotlin or both + # Use 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both + # To learn more about changing the languages that are analyzed or customizing the build mode for your analysis, + # see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning. + # If you are analyzing a compiled language, you can modify the 'build-mode' for that language to customize how + # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + # Add any setup steps before running the `github/codeql-action/init` action. + # This includes steps like installing compilers or runtimes (`actions/setup-node` + # or others). This is typically only required for manual builds. + # - name: Setup runtime (example) + # uses: actions/setup-example@v1 + + # Initializes the CodeQL tools for scanning - handwritten flavour. + - name: Initialize CodeQL for handwritten + uses: github/codeql-action/init@v4 + with: + config-file: .github/codeql/codeql-handwritten.yml + languages: ${{ matrix.language }} + build-mode: ${{ matrix.build-mode }} + - name: Perform CodeQL Analysis for handwritten + uses: github/codeql-action/analyze@v4 diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql-repo.yml similarity index 78% rename from .github/workflows/codeql.yml rename to .github/workflows/codeql-repo.yml index def73c90299d..de35ba606f26 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql-repo.yml @@ -1,8 +1,11 @@ -name: "CodeQL Advanced" +name: "CodeQL Advanced - repo meta" + +# The CodeQL jobs are kept separately so that their run time doesn't +# exceed the max for an action job on GitHub. on: schedule: - - cron: '0 4 * * *' + - cron: '0 1 * * *' jobs: analyze: @@ -52,18 +55,13 @@ jobs: # - name: Setup runtime (example) # uses: actions/setup-example@v1 - # Initializes the CodeQL tools for scanning. - - name: Initialize CodeQL + # Initializes the CodeQL tools for scanning - repo meta flavour. + - name: Initialize CodeQL for repo meta uses: github/codeql-action/init@v4 with: + config-file: .github/codeql/codeql-repo.yml languages: ${{ matrix.language }} build-mode: ${{ matrix.build-mode }} - # If you wish to specify custom queries, you can do so here or in a config file. - # By default, queries listed here will override any specified in a config file. - # Prefix the list here with "+" to use these queries and those in the config file. - - # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs - # queries: security-extended,security-and-quality - - name: Perform CodeQL Analysis + - name: Perform CodeQL Analysis for repo meta uses: github/codeql-action/analyze@v4 From 5c93ae269862d5d6a3d77bb499e37bf2d3aaa699 Mon Sep 17 00:00:00 2001 From: feywind <57276408+feywind@users.noreply.github.com> Date: Tue, 5 May 2026 17:12:10 -0400 Subject: [PATCH 2/2] build: switch codeql config to an exclude list for the main repo scan --- .github/codeql/codeql-repo.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/codeql/codeql-repo.yml b/.github/codeql/codeql-repo.yml index 6fac93db405f..f69958b803a9 100644 --- a/.github/codeql/codeql-repo.yml +++ b/.github/codeql/codeql-repo.yml @@ -1,2 +1,4 @@ -paths: - - '.github' +paths-ignore: + - 'packages' + - 'core' + - 'handwritten'