Consider this run:
#1437
I happen to know that this work only dealt with Java.
Is there a way to make it so only the Java Code QL checks happen in such cases?
I can see the problem — the PR triggered CodeQL Analyze jobs for all 7 languages (python, go, javascript-typescript, csharp, java-kotlin, rust, actions) even though only Java files changed. Let me look at the CodeQL workflow:
CodeQL is running via GitHub's default setup (no .github/workflows/codeql.yml file exists in the repo). The default setup always analyzes all configured languages on every PR — it has no path-based filtering.
To get per-language filtering, you'd need to switch to advanced setup by creating a workflow file. Here's what that would look like:
# .github/workflows/codeql.yml
name: "CodeQL"
on:
push:
branches: [main]
pull_request:
branches: [main]
jobs:
changes:
runs-on: ubuntu-latest
outputs:
java: ${{ steps.filter.outputs.java }}
js: ${{ steps.filter.outputs.js }}
python: ${{ steps.filter.outputs.python }}
go: ${{ steps.filter.outputs.go }}
csharp: ${{ steps.filter.outputs.csharp }}
rust: ${{ steps.filter.outputs.rust }}
steps:
- uses: dorny/paths-filter@v3
id: filter
with:
filters: |
java: ['java/**']
js: ['nodejs/**', 'scripts/**']
python: ['python/**']
go: ['go/**']
csharp: ['dotnet/**']
rust: ['rust/**']
analyze:
needs: changes
strategy:
matrix:
include:
- language: java-kotlin
gate: java
- language: javascript-typescript
gate: js
- language: python
gate: python
- language: go
gate: go
- language: csharp
gate: csharp
# rust not natively supported by CodeQL
if: always()
runs-on: ubuntu-latest
steps:
- if: needs.changes.outputs[matrix.gate] == 'true'
uses: actions/checkout@v4
- if: needs.changes.outputs[matrix.gate] == 'true'
uses: github/codeql-action/init@v3
with:
languages: ${{ matrix.language }}
- if: needs.changes.outputs[matrix.gate] == 'true'
uses: github/codeql-action/autobuild@v3
- if: needs.changes.outputs[matrix.gate] == 'true'
uses: github/codeql-action/analyze@v3However, this change requires repo admin action:
- Go to Settings → Code security → Code scanning → CodeQL analysis and switch from "Default" to "Advanced" (this disables the default setup)
- Commit the new workflow file
- If CodeQL is a required status check, the check names may change and branch protection rules need updating
This isn't something I can do via code alone — it requires a repo admin to toggle the setting in GitHub. I'd recommend filing an issue or discussing with the team, since switching setups affects all languages and their required checks.
Completed: Update documentation to reflect package changes. (3/4)
Consider this run:
#1437
I happen to know that this work only dealt with Java.
Is there a way to make it so only the Java Code QL checks happen in such cases?
I can see the problem — the PR triggered CodeQL
Analyzejobs for all 7 languages (python, go, javascript-typescript, csharp, java-kotlin, rust, actions) even though only Java files changed. Let me look at the CodeQL workflow:CodeQL is running via GitHub's default setup (no
.github/workflows/codeql.ymlfile exists in the repo). The default setup always analyzes all configured languages on every PR — it has no path-based filtering.To get per-language filtering, you'd need to switch to advanced setup by creating a workflow file. Here's what that would look like:
However, this change requires repo admin action:
This isn't something I can do via code alone — it requires a repo admin to toggle the setting in GitHub. I'd recommend filing an issue or discussing with the team, since switching setups affects all languages and their required checks.
Completed: Update documentation to reflect package changes. (3/4)