Skip to content

ci(codeql): scope scans and confidence jobs to relevant changes#32

Merged
GazaliAhmad merged 1 commit into
mainfrom
release/0.9.0
Jun 2, 2026
Merged

ci(codeql): scope scans and confidence jobs to relevant changes#32
GazaliAhmad merged 1 commit into
mainfrom
release/0.9.0

Conversation

@GazaliAhmad

Copy link
Copy Markdown
Owner

Summary

Narrow the repo’s security and post-merge CI so heavy scans only run when their relevant language or runtime inputs actually change.

Why

This change belongs now because docs-only and website-only changes were still triggering expensive or unnecessary post-merge confidence and CodeQL scans.

  • it addresses wasted CI time and noisy checks on changes that do not affect the scanned runtime or language surface
  • it is CI hygiene that supports the current 0.9.x stabilization/docs work, but it is not a release publish change

Included

  • add a repo-owned CodeQL workflow for advanced setup
  • scope javascript-typescript analysis to TS/JS/runtime-relevant files
  • scope python analysis to the actual Python script path in the repo
  • scope actions analysis to workflow changes
  • keep workflow_dispatch available to run all CodeQL analyzers manually
  • narrow Post-Merge 150k Confidence so it only runs on runtime/perf-relevant changes
  • remove the redundant change-detection job from the 150k post-merge workflow now that workflow-level path filters handle it

Not Included

Call out anything intentionally left out so the PR does not read larger than it is.

  • no change to runtime/library behavior
  • no change to docs or website content
  • no switch in GitHub settings from CodeQL default setup to advanced setup yet
  • no attempt to change Cloudflare or release automation

Verification

List the exact checks or commands you ran.

Get-Content .github/workflows/post-merge-150k.yml
Get-Content .github/workflows/codeql.yml
git diff -- .github/workflows/post-merge-150k.yml

If this is perf, runtime-stability, or website work, include the specific profile, route, or build command used.

  • verified the updated workflow YAML locally
  • confirmed the repo’s only live Python path is website/scripts/generate-pwa-icons.py

Docs

Mark what was updated if the public behavior, release posture, or surfaced site changed.

  • README
  • CHANGELOG
  • ROADMAP
  • MAINTENANCE
  • RELEASE_PROCESS
  • COMPATIBILITY
  • guides
  • website
  • no docs change needed

Checklist

  • scope stays focused
  • verification matches the change
  • docs and release wording are aligned when needed
  • no unrelated changes were bundled in casually

@GazaliAhmad GazaliAhmad merged commit f3e619c into main Jun 2, 2026
11 of 14 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant