Skip to content

Configure CodeQL to build and analyze ESM bundle only #214

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
kwinto merged 4 commits into from
Nov 24, 2025
Merged

Configure CodeQL to build and analyze ESM bundle only #214

kwinto merged 4 commits into from
Nov 24, 2025

Conversation

Copy link
Contributor

Copilot AI commented Nov 24, 2025
edited
Loading

Success criteria

CodeQL analysis should:

  • Build the ESM bundle before scanning
  • Analyze only dist/webchat.esm.js
  • Ignore source files, node_modules, and build artifacts
  • Return non-empty scan results

How to test

  1. Trigger the CodeQL workflow (push to main, create PR, or wait for Monday 15:40 UTC)
  2. Verify the "Build ESM bundle" step completes successfully
  3. Confirm CodeQL analysis runs on dist/webchat.esm.js
  4. Check that scan results are populated (not empty)

Changes

.github/workflows/codeql.yml:

  • Added Node.js 22 setup with npm cache for JavaScript/TypeScript jobs
  • Added npm ci and npm run build:esm steps before CodeQL initialization
  • Changed JavaScript/TypeScript build-mode from none to manual
  • References CodeQL config file for path filtering

.github/codeql-config.yml:

  • Restricts analysis to dist/webchat.esm.js only
  • Excludes source files, node_modules, and test artifacts

The Actions workflow language analysis continues unchanged (no build required).

Security

  • No security implications

Additional considerations

  • This PR might have performance implications

Documentation Considerations

None - internal CI/CD configuration change.

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

Copilot AI mentioned this pull request Nov 24, 2025
Open
@graymalkin77
Copy link

graymalkin77 commented Nov 24, 2025
edited
Loading

Snyk checks have passed. No issues have been found so far.

Status Scanner Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues
Licenses 0 0 0 0 0 issues
Code Security 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

Copilot AI and others added 3 commits November 24, 2025 15:26
@kwinto
Update CodeQL workflow to build and analyze ESM output only
3c86a93 
Co-authored-by: kwinto <90881+kwinto@users.noreply.github.com>
@kwinto
Fix build step order: build before CodeQL initialization
5fcf315 
Co-authored-by: kwinto <90881+kwinto@users.noreply.github.com>
@kwinto
Fix config file path - remove ./ prefix
d87781e 
Co-authored-by: kwinto <90881+kwinto@users.noreply.github.com>
Copilot AI changed the title [WIP] Add CodeQL analysis workflow for security scanning Configure CodeQL to build and analyze ESM bundle only Nov 24, 2025
Copilot AI requested a review from kwinto November 24, 2025 15:31
@kwinto kwinto marked this pull request as ready for review November 24, 2025 15:32
@kwinto kwinto merged commit 081895d into kwinto-patch-1 Nov 24, 2025
9 of 10 checks passed
@kwinto kwinto deleted the copilot/sub-pr-212 branch November 24, 2025 15:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kwinto kwinto Awaiting requested review from kwinto

Assignees

@kwinto kwinto

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@graymalkin77 @kwinto