fix: add actions language to CodeQL scan#838
Merged
Merged
Conversation
Bind inputs.version to env var instead of interpolating into run block.
![hyperspace-insights[bot]](https://avatars.githubusercontent.com/u/2531208?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
The PR correctly adds matrix-based CodeQL scanning for both java-kotlin and actions languages, but all four if conditions in the composite action are missing the required ${{ }} expression delimiters — in composite actions, bare expressions like inputs.language == 'java-kotlin' are not evaluated as booleans and will cause the conditional steps to behave incorrectly at runtime.
PR Bot Information
Version: 1.20.51
- Correlation ID:
c275a6ec-2ea3-4820-ba7c-1c86a0303735 - File Content Strategy: Full file content
- Event Trigger:
pull_request.opened - Agent Instructions:
- LLM:
anthropic--claude-4.6-sonnet
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add
actionsLanguage Support to CodeQL ScanBug Fix
🐛 Extended the CodeQL security scan to also analyze GitHub Actions workflows (the
actionslanguage), in addition to the existingjava-kotlinanalysis. Previously, onlyjava-kotlinwas hardcoded; now the scan runs as a matrix job for both languages.Changes
.github/actions/scan-with-codeql/action.yml: Added a new requiredlanguageinput parameter. Made Java setup, Maven setup,@sap/cds-dkinstallation, and Java build steps conditional onlanguage == 'java-kotlin'. Replaced hardcodedjava-kotlinreferences in the CodeQLinitandanalyzesteps with${{ inputs.language }}, and setbuild-modedynamically (manualforjava-kotlin,noneotherwise)..github/workflows/pipeline.yml: Updated thecodeqljob to use a matrix strategy over[java-kotlin, actions]withfail-fast: false. The job name now reflects the current matrix language. Addedlanguage: ${{ matrix.language }}to thescan-with-codeqlaction inputs.PR Bot Information
Version:
1.20.51c275a6ec-2ea3-4820-ba7c-1c86a0303735pull_request.openedanthropic--claude-4.6-sonnet