fix(ci): point CodeQL at actions so SAST runs on every commit

hyperpolymath · claude · hyperpolymath · commit 7dafb68df533 · 2026-05-16T21:25:55.000+01:00
Repo is Ada/Scheme/Shell — none are CodeQL-analysable. The matrix was `javascript-typescript`, so the analyze job saw no source and recorded zero results, and OSSF Scorecard's SAST check reported "0 commits checked" (alert #72). `language: actions` scans the workflow YAML every commit touches, so SAST now produces results on every push. Refs hyperpolymath/hypatia#260 Refs #40 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -21,7 +21,13 @@ jobs:
       fail-fast: false
       matrix:
         include:
-          - language: javascript-typescript
+          # This repo is Ada/Scheme/Shell — languages CodeQL cannot analyze.
+          # Pointing CodeQL at `javascript-typescript` made the analyze job
+          # see no source and record zero results, so OSSF Scorecard's SAST
+          # check reported "0 commits checked" (alert #72). `actions` scans
+          # the workflow YAML, which every commit touches, so SAST now
+          # produces results on every push. See hyperpolymath/hypatia#260.
+          - language: actions
             build-mode: none
 
     steps:
