From f11d2b57d62ab666d116bba001a3b66dd75575fa Mon Sep 17 00:00:00 2001
From: zhongliang02 <zhongliang@open.gov.sg>
Date: Mon, 2 Mar 2026 16:45:10 +0800
Subject: [PATCH 1/2] feat: add sample workflow with local config override
 support

---
 sample-workflow.yml | 77 +++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 77 insertions(+)
 create mode 100644 sample-workflow.yml

diff --git a/sample-workflow.yml b/sample-workflow.yml
new file mode 100644
index 0000000..3718510
--- /dev/null
+++ b/sample-workflow.yml
@@ -0,0 +1,77 @@
+# OGP CodeQL Workflow
+# Copy this file to your repository at .github/workflows/codeql.yml
+#
+# To exclude specific rules for your project, create .github/codeql-config.yml
+# in your repository with contents like:
+#
+#   packs:
+#     javascript:
+#       - opengovsg/nextjs-custom-queries@1.0.1
+#       - opengovsg/react-custom-queries@1.0.1
+#       - opengovsg/javascript-custom-queries@1.0.3
+#       - opengovsg/nestjs-custom-queries@1.0.0
+#   query-filters:
+#     - exclude:
+#         id: my-rule/to-exclude
+#   paths-ignore:
+#     - '**/test/**'
+#     - '**/tests/**'
+#     - '**/__test__/**'
+#     - '**/__tests__/**'
+#     - '**/*.test.*'
+#
+# If no local config is found, the central config from
+# opengovsg/codeql-config/codeql-config.yml@prod is used.
+
+name: 'OGP CodeQL'
+
+on:
+  push:
+    branches: ['develop']
+  pull_request:
+    branches: ['develop']
+  schedule:
+    - cron: '0 10 * * *'
+
+jobs:
+  analyze:
+    name: Analyze (${{matrix.language}})
+    runs-on: ${{(matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest'}}
+    timeout-minutes: ${{(matrix.language == 'swift' && 120) || 360}}
+    permissions:
+      security-events: write
+      packages: read
+      actions: read
+      contents: read
+
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - language: javascript-typescript
+            build-mode: none
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Check for local CodeQL config override
+        id: codeql-config
+        run: |
+          if [ -f ".github/codeql-config.yml" ]; then
+            echo "config-file=./.github/codeql-config.yml" >> "$GITHUB_OUTPUT"
+          else
+            echo "config-file=opengovsg/codeql-config/codeql-config.yml@prod" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: ${{matrix.language}}
+          build-mode: ${{matrix.build-mode}}
+          config-file: ${{steps.codeql-config.outputs.config-file}}
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v3
+        with:
+          category: '/language:${{matrix.language}}'

From 3a53128bd7638a8a126ca27029000040c35401cd Mon Sep 17 00:00:00 2001
From: zhongliang02 <zhongliang@open.gov.sg>
Date: Mon, 2 Mar 2026 17:46:55 +0800
Subject: [PATCH 2/2] fix: add placeholder TS file for CodeQL CI

---
 index.ts | 4 ++++
 1 file changed, 4 insertions(+)
 create mode 100644 index.ts

diff --git a/index.ts b/index.ts
new file mode 100644
index 0000000..82e18cc
--- /dev/null
+++ b/index.ts
@@ -0,0 +1,4 @@
+// Placeholder file to allow CodeQL's javascript-typescript analysis to run.
+// This repo is a config-only repo with no application code, but the CI
+// workflow needs at least one JS/TS file for the analyzer to succeed.
+export {};