Skip to content

chore: add CodeQL security scanning workflow #3

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
100yenadmin wants to merge 2 commits into
base: main
Choose a base branch
from
Open

chore: add CodeQL security scanning workflow #3

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
90a16af
chore: add CodeQL security scanning workflow
Apr 2, 2026
8fb2978
fix: add actions:read permission + bump codeql-action to v4
Apr 2, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 28 additions & 0 deletions .github/workflows/codeql.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
name: "CodeQL"

on:
push:
branches: [main]
pull_request:
branches: [main]

jobs:
analyze:
name: Analyze (JavaScript/TypeScript)
runs-on: ubuntu-latest
timeout-minutes: 10
permissions:
actions: read
security-events: write
contents: read
Copy link

Copilot AI Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The job permissions are missing actions: read, which the GitHub CodeQL workflow template includes and which can be required in repos/orgs that set the default GITHUB_TOKEN permissions to “read repository contents only”. Add actions: read to the job (or workflow) permissions to avoid CodeQL failures in locked-down environments.

Suggested change
contents: read
contents: read
actions: read

Copilot uses AI. Check for mistakes.
steps:
- uses: actions/checkout@v4

- name: Initialize CodeQL
uses: github/codeql-action/init@v4
with:
languages: javascript-typescript
queries: security-and-quality

Copy link

Copilot AI Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For TypeScript repositories, CodeQL JS/TS analysis is typically more accurate when dependencies are installed and the project is built (so the extractor can resolve types/config). Consider adding steps between init and analyze to run npm ci (and npm run build if needed) so the scan reflects the actual compiled/typed code.

Suggested change
- name: Set up Node.js
uses: actions/setup-node@v4
with:
node-version: 'lts/*'
cache: 'npm'
- name: Install dependencies
run: npm ci
- name: Build (if applicable)
run: npm run build --if-present

Copilot uses AI. Check for mistakes.
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v4
Loading