ci: update CodeQL workflow actions and add Dependabot monitoring#413
ci: update CodeQL workflow actions and add Dependabot monitoring#413
Conversation
Bump actions/checkout v4 → v5 and github/codeql-action v3 → v4 to resolve GitHub Actions Node.js 20 deprecation warnings. Node.js 20 actions will be forced to Node.js 24 starting June 2, 2026. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
github-actions
Bot
added
the
[Type] Build Tooling
Add `github-actions` package ecosystem to dependabot.yml so action version updates (checkout, codeql-action, etc.) are tracked automatically alongside npm dependencies. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
jkmassel
changed the title
Set build-mode: none for the interpreted languages job (actions, java-kotlin, javascript-typescript) and remove the autobuild step. This ensures CodeQL extracts all Kotlin source files rather than only those reachable from a single Gradle build (51/90 previously). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Change from building only GutenbergKit and GutenbergKitHTTP to building all targets including tests. Previously only 11/132 Swift files were scanned. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add xcodebuild step for the Demo-iOS Xcode project so its 14 Swift files are also scanned by CodeQL. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
java-kotlin requires compilation and cannot use build-mode: none. Use a matrix include to set the build mode per language: autobuild for java-kotlin, none for actions and javascript-typescript. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Autobuild only compiled 51/90 Kotlin files. Replace it with a dedicated job that runs compileDebugSources, compileDebugTestSources, and compileDebugAndroidTestSources across both modules to ensure full coverage. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Use `compileDebugUnitTestSources` instead of the ambiguous `compileDebugTestSources` which matches both unit and Android test source sets. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The compileDebugAndroidTestSources task fails because Espresso Web and Compose test dependencies aren't available on the CI runner. These instrumentation tests in the demo app aren't useful targets for static security analysis, so just compile main and unit test sources. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
dcalhoun
left a comment
dcalhoun
left a comment
There was a problem hiding this comment.
While I do not see any deprecation warnings in the CI logs, it appears the Swift CodeQL task continues to cancel due to a timeout. Here is Claude's analysis. WDYT is the most appropriate solution?
Claude analysis
Root Cause
The analyze-swift job is hitting its 30-minute timeout (codeql.yml:67). The swift build --build-tests step alone takes ~29.5 minutes, leaving no time for the subsequent "Build Demo app" step. The build got to 277/279 compilations before being killed.
Two factors contribute to the long build time:
-
SPM dependency resolution is slow — computing the version for
SVGView.gitalone took 531 seconds (~9 minutes). This is a known issue with SPM when usingfrom:ranges on repos with many tags — SPM checks every tag to find compatible versions. -
The build itself is large — compiling all targets including tests (279 compilation units total) plus all dependencies (SwiftSoup, SVGView, GutenbergKitHTTP, etc.) takes ~20 minutes.
And the "Build Demo app" xcodebuild step would add even more time on top of that.
Fix Options
Option 1 (simplest): Increase the timeout
Bump timeout-minutes from 30 to 60 on the analyze-swift job. This gives enough headroom for both build steps plus the CodeQL analysis step.
Option 2 (also helps): Remove --build-tests
Change swift build --build-tests to just swift build. CodeQL only needs the source code compiled for analysis — test code is typically not what you want to scan for security vulnerabilities. This would cut out ~50 compilation units and save several minutes.
Option 3 (complementary): Remove the Demo app build
The Demo app build adds more compilation time. If the Swift package build already covers the main library code, the Demo app step may be redundant for CodeQL's purposes.
The swift build + Demo app xcodebuild completes but takes ~30m on macos-15 runners, hitting the timeout boundary during the Demo app build step. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
SPM version resolution takes ~9 minutes on a cold CI cache because it clones each dependency mirror and parses Package.swift for every candidate version. Caching the SPM repository mirrors across runs avoids this. Also removes a stale wordpress-rs pin from Package.resolved — it's not in Package.swift and shouldn't be resolved. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
swift build --build-tests compiles test targets that import UIKit, which isn't available when building for macOS on CI. The library targets are sufficient for CodeQL analysis. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
Updates the repository’s security/CI automation by modernizing the CodeQL workflow action versions and enabling Dependabot to track future GitHub Actions updates, while also adjusting how CodeQL builds/analysis are executed for different languages.
Changes:
- Bump
actions/checkouttov5andgithub/codeql-actionsteps tov4. - Restructure CodeQL workflow: split Kotlin into a dedicated job with an explicit Gradle build; adjust Swift job (SPM caching, broader builds, longer timeout); remove CodeQL
autobuildfor interpreted languages and setbuild-mode: none. - Add Dependabot updates for the
github-actionsecosystem.
Reviewed changes
Copilot reviewed 2 out of 3 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
Package.resolved |
Updates SwiftPM lock state and removes an unused/stray pin (wordpress-rs). |
.github/workflows/codeql.yml |
Upgrades actions and changes CodeQL job structure/build behavior across languages. |
.github/dependabot.yml |
Enables Dependabot monitoring for GitHub Actions version updates. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| analyze-kotlin: | ||
| name: Analyze (java-kotlin) | ||
| runs-on: ubuntu-latest | ||
| timeout-minutes: 30 | ||
|
|
||
| steps: | ||
| - name: Checkout repository | ||
| uses: actions/checkout@v5 | ||
|
|
||
| - name: Initialize CodeQL | ||
| uses: github/codeql-action/init@v4 | ||
| with: | ||
| languages: java-kotlin | ||
|
|
||
| - name: Build Android project | ||
| run: cd android && ./gradlew compileDebugSources compileDebugUnitTestSources | ||
|
|
There was a problem hiding this comment.
This PR introduces additional workflow behavior beyond version bumps: it splits out a new analyze-kotlin job and adds an explicit Android Gradle build step. Please call this out in the PR description/test plan (it can affect CI time/failure modes) so reviewers understand the scope increase.
| - name: Initialize CodeQL | ||
| uses: github/codeql-action/init@v3 | ||
| uses: github/codeql-action/init@v4 | ||
| with: | ||
| languages: ${{ matrix.language }} | ||
|
|
||
| - name: Autobuild | ||
| uses: github/codeql-action/autobuild@v3 | ||
| build-mode: none |
There was a problem hiding this comment.
The PR description claims only action bumps with no behavioral changes, but this workflow change also removes the CodeQL autobuild step and explicitly sets build-mode: none for the interpreted-language matrix. Please update the PR description/test plan to reflect these workflow behavior changes (and confirm they don’t reduce JS/TS extraction coverage compared to the previous autobuild-based setup).
| run: swift build | ||
|
|
||
| - name: Build Demo app | ||
| run: xcodebuild build -project ios/Demo-iOS/Gutenberg.xcodeproj -scheme Gutenberg -destination 'generic/platform=iOS' CODE_SIGNING_ALLOWED=NO |
There was a problem hiding this comment.
💭 Just wondering, would it make sense to check in the Demo app Package.resolved, now that this job builds the Xcode project? That would make dependency resolution for this step reproducible.
Summary
actions/checkoutfrom v4 to v5github/codeql-action(init, autobuild, analyze) from v3 to v4github-actionsecosystem to Dependabot to automatically track future action version updatesResolves GitHub Actions deprecation warnings for Node.js 20. Both v5 (checkout) and v4 (codeql-action) are drop-in replacements with no breaking changes for this workflow.
Test plan
🤖 Generated with Claude Code