Skip to content

ci(repo): fix CodeQL workflow - Rust needs build-mode none#45

Merged
saagpatel merged 1 commit into
masterfrom
codex/ci/fix-codeql-workflow-bugs
Apr 21, 2026
Merged

ci(repo): fix CodeQL workflow - Rust needs build-mode none#45
saagpatel merged 1 commit into
masterfrom
codex/ci/fix-codeql-workflow-bugs

Conversation

@saagpatel
Copy link
Copy Markdown
Owner

@saagpatel saagpatel commented Apr 21, 2026

What

Fix two bugs in .github/workflows/codeql.yml that I introduced in Wave 3 (#30) and that caused both matrix jobs to fail on every run since.

Change 1: Rust matrix build-mode: manualbuild-mode: none. CodeQL's Rust support hard-rejects manual mode with:

A fatal error occurred: Rust does not support the manual build mode.
Please try using one of the following build modes instead: none.

Change 2: Drop cache: "pnpm" from actions/setup-node on the JS matrix. With build-mode: none we never run pnpm install, so the cache post-step tries to save from a nonexistent path and fails with:

Path(s) specified in the action for caching do(es) not exist,
hence no cache is being saved.

Also drop the now-unused Install Rust, Setup pnpm, and Build Rust (manual mode) steps.

Why

Caught these while verifying the post-Wave-4 state before Wave 5. The bugs have been failing on every master push since #30 landed (both matrix jobs red). No SARIF uploaded, so the Security tab has nothing to show.

With this fix, CodeQL will actually run — which was the whole point of Wave 3.

How

One commit. 6 insertions, 24 deletions. No other workflows touched.

Testing

  • Commands run: YAML parsed via js-yaml (OK); matrix inspected (two entries, both build-mode: none)
  • Results: CI on this PR will be the real validation — both matrix jobs should complete Perform CodeQL Analysis and upload SARIF

Performance impact

  • Bundle delta: N/A (CI workflow)
  • Build time delta: none on master; CodeQL run wall-clock unchanged (same analyze step)
  • Lighthouse delta: none
  • API latency delta: none
  • DB query delta: none

Risk / Notes

  • Low risk: fixes a workflow that hasn't been producing any signal since it was added
  • If CodeQL's Rust extractor reports new findings that weren't visible before (because the job never got past init), those need to be triaged in docs/security/codeql-baseline.md as part of baseline capture

Screenshots (UI only)

  • N/A

Lockfile rationale (if lockfile changed)

  • No lockfile changes.

🤖 Generated with Claude Code

@saagar210 @claude
ci(repo): fix CodeQL workflow - Rust needs build-mode none
f019d34 
Two bugs introduced by the original CodeQL workflow in Wave 3 (#30),
each caught on first master run after merge:

1. Rust matrix used build-mode: manual. CodeQL's Rust support does
   not accept manual mode — the init step hard-fails with
   'A fatal error occurred: Rust does not support the manual build
   mode. Please try using one of the following build modes instead:
   none.' Fix: use build-mode: none. Also drop the now-unused
   'Build Rust (manual mode)' + 'Install Rust' steps.

2. JS matrix passed cache: 'pnpm' to actions/setup-node. With
   build-mode: none we never run pnpm install, so the cache
   post-step tries to save a cache from a nonexistent path and fails
   with 'Path(s) specified in the action for caching do(es) not
   exist'. Fix: drop the cache param for CodeQL (we don't install
   anything).

Also drop the pnpm/action-setup step — unused after the cache
removal.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@saagpatel saagpatel merged commit 0a51838 into master Apr 21, 2026
25 of 26 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@saagpatel @saagar210