From 6cdc399f3aebad81185c1bee2a4317977f04bc7f Mon Sep 17 00:00:00 2001
From: hyperpolymath <6759885+hyperpolymath@users.noreply.github.com>
Date: Sat, 30 May 2026 19:35:14 +0100
Subject: [PATCH] =?UTF-8?q?ci(codeql):=20switch=20language=20matrix=20java?=
 =?UTF-8?q?script-typescript=20=E2=86=92=20actions=20(no=20JS=20source)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

`.github/workflows/codeql.yml` had `language: javascript-typescript` but
this repo contains zero JS/TS/JSX/TSX source files (verified via git
tree scan, excluding vendored/build paths). The CodeQL `analyze` job
therefore exited with "configuration error: no source files" on every
run, blocking Dependabot PRs.

Switch the matrix to `actions` — CodeQL's workflow-scanning lane, which
inspects `.github/workflows/*.yml` for security issues. Every repo has
workflow files, so this lane always has something useful to scan.

Detector: hypatia rule WF008 (`check_codeql_language_matrix_mismatch`)
already fires on this pattern via `has_codeql_supported_language` opts.

Caught by the 2026-05-30 estate CI/CD audit.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/codeql.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index eab473f..f6df54a 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -36,7 +36,7 @@ jobs:
       fail-fast: false
       matrix:
         include:
-        - language: javascript-typescript
+        - language: actions
           build-mode: none
         # Note: Rust is not yet supported by CodeQL
         # Python/Go are banned in this repo per RSR language policy