Skip to content

ci(codeql): enable c-cpp and java-kotlin analyses#1244

Merged
mbouaziz merged 3 commits into
mainfrom
codeql-c-cpp-and-java-kotlin
May 27, 2026
Merged

ci(codeql): enable c-cpp and java-kotlin analyses#1244
mbouaziz merged 3 commits into
mainfrom
codeql-c-cpp-and-java-kotlin

Conversation

@mbouaziz
Copy link
Copy Markdown
Contributor

@mbouaziz mbouaziz commented May 27, 2026

Summary

  • Re-enables the c-cpp and java-kotlin CodeQL analyses that have been commented out since CodeQL: switch to advanced setup #807 (March 2025), where they failed with autobuild.
  • Switches them to manual builds scoped to the user-written code:
    • c-cpp: install clang-20 from apt.llvm.org (matches LLVM_VERSION in bin/apt-install.sh), init the libbacktrace submodule, build skiplang/prelude/runtime/libskip_runtime64.a. The node-gyp addon and skiplang-compiler-generated .c files are intentionally skipped — they need the full skiplang toolchain.
    • java-kotlin: install JDK 20 (matches java.toolchain pin in sql/server) and run ./gradlew classes testClasses in sql/server, which is the only Kotlin code in the repo.
  • Keeps the paths-ignore: sql/** filter for javascript-typescript and python (unchanged behavior) but lifts it for java-kotlin, since the Kotlin code lives in sql/server.
  • Adds workflow_dispatch so the workflow can be triggered manually rather than waiting for the Sunday cron.

Why

The repo's Security → Code scanning tool-status page reports "CodeQL is reporting errors" — the only errored analyses on file are the c-cpp / java-kotlin runs from 2025-03-13 (commit eeae5593c) under the "automatic" configuration. Re-enabling these analyses with working builds replaces the stale errored state with current analyses.

Test plan

  • Workflow runs successfully on this PR via workflow_dispatch for all four languages
  • No new false-positive alerts surface; if any real alerts surface for c-cpp/java-kotlin, they get triaged separately
  • After merge, the Security tab status banner clears

🤖 Generated with Claude Code

@mbouaziz @claude
ci(codeql): enable c-cpp and java-kotlin analyses
6f24e8a 
Re-enable the C/C++ and Java/Kotlin CodeQL analyses that have been
commented out since PR #807, switching from autobuild (which failed at
the time) to manual builds scoped to the user-written code.

c-cpp: install clang-20 from apt.llvm.org (matches LLVM_VERSION pinned
in bin/apt-install.sh), init the libbacktrace submodule for headers,
and build skiplang/prelude/runtime/libskip_runtime64.a. The node-gyp
addon and skiplang compiler outputs are intentionally skipped — they
require the full skiplang toolchain.

java-kotlin: install JDK 20 (matches the Gradle java.toolchain pin in
sql/server) and run `./gradlew classes testClasses` in sql/server,
which is the only Kotlin code in the repo.

paths-ignore for sql/** is kept for the existing javascript-typescript
and python analyses but lifted for java-kotlin since the Kotlin code
lives in sql/server.

Also adds workflow_dispatch so the workflow can be triggered manually
instead of waiting for the Sunday cron, and clears out boilerplate
comments left from the GitHub-generated starter file.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@github-advanced-security
Copy link
Copy Markdown
Contributor

github-advanced-security AI commented May 27, 2026

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

mbouaziz and others added 2 commits May 27, 2026 12:31
@mbouaziz @claude
ci(codeql): fix clang alternative registration
2e4f2c2 
ubuntu-latest already registers clang++ as a master alternative, so
slaving it under clang failed with "alternative clang++ can't be slave
of clang: it is a master alternative". Register each separately.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@mbouaziz @claude
ci(codeql): stop ignoring sql/ in js/python analyses
0799596 
The paths-ignore was added in ad3aaca back when the workflow first
moved off default setup, but sql/ts/ contains the actively-maintained
SKDB TS client where alerts have been triaged and fixed historically
(#6, #7, #8, #9, #10, #11). Filtering it out silences real findings.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@mbouaziz mbouaziz merged commit 103bdac into main May 27, 2026
7 checks passed
@mbouaziz mbouaziz deleted the codeql-c-cpp-and-java-kotlin branch May 27, 2026 12:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mbouaziz @github-advanced-security