Skip to content

Migrate CodeQL to advanced setup #26

Closed
#33
Closed
Migrate CodeQL to advanced setup#26
#33
Labels
ciCI/InfrastructureenhancementNew feature or requestpriority: P1Current milestone worksize: SQuick win — a few hours or less
@zeevdr

Description

@zeevdr
zeevdr
opened on Apr 27, 2026

Description

Follow-up to opendecree/decree#183. Migrate from default-setup to advanced-setup so we can paths-ignore generated proto/TS stubs and pin the CodeQL workflow to repo conventions.

Reference: opendecree/decree#190 (advanced workflow for the core repo).

Acceptance criteria

  • Disable default-setup: gh api -X PATCH repos/opendecree/decree-typescript/code-scanning/default-setup -f state=not-configured
  • Add .github/workflows/codeql.yml with Analyze jobs for actions and javascript-typescript
  • Add paths-ignore for generated code: src/generated/**
  • Match default-setup's default query suite + remote threat model for findings parity
  • Verify advanced-setup flags equivalent findings vs default-setup on the same commit

Notes

Languages currently scanned by default-setup: actions, javascript, javascript-typescript, typescript. CodeQL collapses these to javascript-typescript in advanced-setup.

Metadata

Metadata

Assignees

No one assigned

    Labels

    ciCI/InfrastructureenhancementNew feature or requestpriority: P1Current milestone worksize: SQuick win — a few hours or less

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions