tools: enable CodeQL config file

Trott · Trott · commit 7b39845aec23 · 2025-04-26T06:20:50.000-07:00
A previous change designed to ignore test files in CodeQL scans had multiple problems. This fixes the CodeQL scan breakage. It adds a CodeQL config file, which allows us to ignore the test directory in our scans. Refs: nodejs#57978 (comment) Refs: https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#specifying-directories-to-scan
diff --git a/.github/codeql-config.yml b/.github/codeql-config.yml
@@ -0,0 +1,4 @@
+name: "My CodeQL config"
+
+paths-ignore:
+  - test
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -3,13 +3,11 @@ name: Run CodeQL
 on:
   schedule:
     - cron: 0 0 * * *
+  workflow_dispatch:
 
 permissions:
   contents: read
 
-paths-to-ignore:
-  - test
-
 jobs:
   analyze:
     name: Analyze
@@ -33,6 +31,7 @@ jobs:
         uses: github/codeql-action/init@6bb031afdd8eb862ea3fc1848194185e076637e5  # v3.28.11
         with:
           languages: ${{ matrix.language }}
+          config-file: ./.github/codeql-config.yml
 
       - name: Autobuild
         uses: github/codeql-action/autobuild@6bb031afdd8eb862ea3fc1848194185e076637e5  # v3.28.11

-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +name: "My CodeQL config"
++
 +paths-ignore:
 +  - test