From 6fba1630498a23205ba782d41ed10cd122b439bc Mon Sep 17 00:00:00 2001 From: Claude Date: Fri, 3 Apr 2026 21:52:41 +0000 Subject: [PATCH 1/2] Exclude ThirdParty from CodeQL scanning and enable Copilot Autofix - Add .github/codeql/codeql-config.yml with paths-ignore for ThirdParty/ - Reference config in CodeQL init step to suppress alerts from vendored deps - Add Copilot Autofix step (runs on PRs) to auto-suggest fixes for findings - Grant pull-requests: write permission required by the autofix action https://claude.ai/code/session_01LwFpJtW8drWnZMmPgaHyEz --- .github/codeql/codeql-config.yml | 8 ++++++++ .github/workflows/codeql.yml | 16 ++++++++++++---- 2 files changed, 20 insertions(+), 4 deletions(-) create mode 100644 .github/codeql/codeql-config.yml diff --git a/.github/codeql/codeql-config.yml b/.github/codeql/codeql-config.yml new file mode 100644 index 00000000..a4f71322 --- /dev/null +++ b/.github/codeql/codeql-config.yml @@ -0,0 +1,8 @@ +name: "SparkEngine CodeQL Config" + +# Exclude third-party libraries from code scanning analysis. +# These are vendored dependencies we don't maintain — alerts in them +# are noise and should not block PRs. +paths-ignore: + - "ThirdParty" + - "ThirdParty/**" diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index e1e56522..4a4b506e 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -39,6 +39,9 @@ jobs: actions: read contents: read + # required for Copilot Autofix to propose pull request suggestions + pull-requests: write + strategy: fail-fast: false matrix: @@ -81,10 +84,7 @@ jobs: with: languages: ${{ matrix.language }} build-mode: ${{ matrix.build-mode }} - # If you wish to specify custom queries, you can do so here or in a config file. - # By default, queries listed here will override any specified in a config file. - # Prefix the list here with "+" to use these queries and those in the config file. - + config-file: ./.github/codeql/codeql-config.yml # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs # queries: security-extended,security-and-quality @@ -110,3 +110,11 @@ jobs: uses: github/codeql-action/analyze@v4 with: category: "/language:${{matrix.language}}" + output: sarif-results + + - name: Copilot Autofix + if: github.event_name == 'pull_request' + uses: github/codeql-action/autofix@v4 + with: + category: "/language:${{matrix.language}}" + output: autofix-results From 41d5743fb8c273c2a6b98933c97d9806b9cb3b1e Mon Sep 17 00:00:00 2001 From: Claude Date: Fri, 3 Apr 2026 22:02:09 +0000 Subject: [PATCH 2/2] =?UTF-8?q?Remove=20invalid=20codeql-action/autofix=20?= =?UTF-8?q?step=20=E2=80=94=20Autofix=20is=20server-side?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The autofix sub-action doesn't exist in github/codeql-action. Copilot Autofix runs automatically on GitHub's side after SARIF upload; no workflow step is needed. The pull-requests:write permission is kept so Autofix can post suggested fixes on PRs. https://claude.ai/code/session_01LwFpJtW8drWnZMmPgaHyEz --- .github/workflows/codeql.yml | 8 -------- 1 file changed, 8 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 4a4b506e..c2e5c371 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -110,11 +110,3 @@ jobs: uses: github/codeql-action/analyze@v4 with: category: "/language:${{matrix.language}}" - output: sarif-results - - - name: Copilot Autofix - if: github.event_name == 'pull_request' - uses: github/codeql-action/autofix@v4 - with: - category: "/language:${{matrix.language}}" - output: autofix-results