From 5843fb9ddb7afd084217bfe5d237fd18475be730 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 19 Mar 2026 12:58:00 +0000 Subject: [PATCH 1/6] Add CodeQL workflow for Python, C#, and Go scanning Co-authored-by: seesharprun <5067401+seesharprun@users.noreply.github.com> --- .github/workflows/codeql.yml | 95 ++++++++++++++++++++++++++++++++++++ 1 file changed, 95 insertions(+) create mode 100644 .github/workflows/codeql.yml diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 0000000..b21e732 --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,95 @@ +name: CodeQL + +on: + push: + branches: ["main"] + pull_request: + branches: ["main"] + schedule: + - cron: '30 4 * * 2' + workflow_dispatch: + +jobs: + analyze-python: + name: Analyze (python) + if: github.repository == 'AzureCosmosDB/samples' + runs-on: ubuntu-latest + permissions: + security-events: write + packages: read + actions: read + contents: read + steps: + - name: Checkout repository + uses: actions/checkout@v4 + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: python + build-mode: none + queries: security-and-quality + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v3 + with: + category: "/language:python" + + analyze-csharp: + name: Analyze (csharp) + if: github.repository == 'AzureCosmosDB/samples' + runs-on: ubuntu-latest + permissions: + security-events: write + packages: read + actions: read + contents: read + steps: + - name: Checkout repository + uses: actions/checkout@v4 + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: csharp + build-mode: manual + queries: security-and-quality + - name: Set up .NET + uses: actions/setup-dotnet@v4 + with: + dotnet-version: '9.0' + - name: Build .NET samples + run: | + set -e + projs=$(find dotnet -name '*.csproj' 2>/dev/null) + if [ -z "$projs" ]; then + echo "::warning::No .csproj files found in dotnet/. Skipping C# build for CodeQL." + exit 0 + fi + echo "$projs" | while IFS= read -r proj; do + dotnet build "$proj" --configuration Release + done + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v3 + with: + category: "/language:csharp" + + analyze-go: + name: Analyze (go) + if: github.repository == 'AzureCosmosDB/samples' + runs-on: ubuntu-latest + permissions: + security-events: write + packages: read + actions: read + contents: read + steps: + - name: Checkout repository + uses: actions/checkout@v4 + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: go + build-mode: autobuild + queries: security-and-quality + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v3 + with: + category: "/language:go" From ab8f6a211677ae28d7810586f2cf3b4d23a17cdf Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 19 Mar 2026 13:13:24 +0000 Subject: [PATCH 2/6] Remove manual build steps from C# CodeQL job, use build-mode: none Co-authored-by: seesharprun <5067401+seesharprun@users.noreply.github.com> --- .github/workflows/codeql.yml | 17 +---------------- 1 file changed, 1 insertion(+), 16 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index b21e732..90b19b8 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -49,23 +49,8 @@ jobs: uses: github/codeql-action/init@v3 with: languages: csharp - build-mode: manual + build-mode: none queries: security-and-quality - - name: Set up .NET - uses: actions/setup-dotnet@v4 - with: - dotnet-version: '9.0' - - name: Build .NET samples - run: | - set -e - projs=$(find dotnet -name '*.csproj' 2>/dev/null) - if [ -z "$projs" ]; then - echo "::warning::No .csproj files found in dotnet/. Skipping C# build for CodeQL." - exit 0 - fi - echo "$projs" | while IFS= read -r proj; do - dotnet build "$proj" --configuration Release - done - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v3 with: From 3cf2239a47d36ca68625cc628afff4bb1453fa65 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 19 Mar 2026 13:20:02 +0000 Subject: [PATCH 3/6] Rename CodeQL jobs to match Validate Samples naming; add JavaScript/TypeScript job Co-authored-by: seesharprun <5067401+seesharprun@users.noreply.github.com> --- .github/workflows/codeql.yml | 33 ++++++++++++++++++++++++++++----- 1 file changed, 28 insertions(+), 5 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 90b19b8..8596562 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -1,4 +1,4 @@ -name: CodeQL +name: Analyze Samples on: push: @@ -11,7 +11,7 @@ on: jobs: analyze-python: - name: Analyze (python) + name: Analyze Python Samples if: github.repository == 'AzureCosmosDB/samples' runs-on: ubuntu-latest permissions: @@ -33,8 +33,31 @@ jobs: with: category: "/language:python" - analyze-csharp: - name: Analyze (csharp) + analyze-javascript: + name: Analyze JavaScript/TypeScript Samples + if: github.repository == 'AzureCosmosDB/samples' + runs-on: ubuntu-latest + permissions: + security-events: write + packages: read + actions: read + contents: read + steps: + - name: Checkout repository + uses: actions/checkout@v4 + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: javascript-typescript + build-mode: none + queries: security-and-quality + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v3 + with: + category: "/language:javascript-typescript" + + analyze-dotnet: + name: Analyze .NET Samples if: github.repository == 'AzureCosmosDB/samples' runs-on: ubuntu-latest permissions: @@ -57,7 +80,7 @@ jobs: category: "/language:csharp" analyze-go: - name: Analyze (go) + name: Analyze Go Samples if: github.repository == 'AzureCosmosDB/samples' runs-on: ubuntu-latest permissions: From 7e85f1f3d4dbc7f55ba3b9aa28deac140f4adf1a Mon Sep 17 00:00:00 2001 From: Sidney Andrews Date: Thu, 19 Mar 2026 09:28:36 -0400 Subject: [PATCH 4/6] Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> Signed-off-by: Sidney Andrews --- .github/workflows/codeql.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 8596562..b64295a 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -21,7 +21,7 @@ jobs: contents: read steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@v6 - name: Initialize CodeQL uses: github/codeql-action/init@v3 with: @@ -44,7 +44,7 @@ jobs: contents: read steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@v6 - name: Initialize CodeQL uses: github/codeql-action/init@v3 with: @@ -67,7 +67,7 @@ jobs: contents: read steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@v6 - name: Initialize CodeQL uses: github/codeql-action/init@v3 with: @@ -90,7 +90,7 @@ jobs: contents: read steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@v6 - name: Initialize CodeQL uses: github/codeql-action/init@v3 with: From 46afb3b7e0f2748825548933d59bb3cf5e625fa9 Mon Sep 17 00:00:00 2001 From: Sidney Andrews Date: Thu, 19 Mar 2026 09:28:52 -0400 Subject: [PATCH 5/6] Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> Signed-off-by: Sidney Andrews --- .github/workflows/codeql.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index b64295a..671f4c3 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -9,6 +9,10 @@ on: - cron: '30 4 * * 2' workflow_dispatch: +concurrency: + group: codeql-${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + jobs: analyze-python: name: Analyze Python Samples From 4ad7abe1a6f42b032239fd8e30533b0b4b4dc83f Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 19 Mar 2026 13:30:51 +0000 Subject: [PATCH 6/6] Move repository guard from job-level to analyze step to fix fork PR status checks Co-authored-by: seesharprun <5067401+seesharprun@users.noreply.github.com> --- .github/workflows/codeql.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 671f4c3..e86d6d1 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -16,7 +16,6 @@ concurrency: jobs: analyze-python: name: Analyze Python Samples - if: github.repository == 'AzureCosmosDB/samples' runs-on: ubuntu-latest permissions: security-events: write @@ -33,13 +32,13 @@ jobs: build-mode: none queries: security-and-quality - name: Perform CodeQL Analysis + if: github.repository == 'AzureCosmosDB/samples' uses: github/codeql-action/analyze@v3 with: category: "/language:python" analyze-javascript: name: Analyze JavaScript/TypeScript Samples - if: github.repository == 'AzureCosmosDB/samples' runs-on: ubuntu-latest permissions: security-events: write @@ -56,13 +55,13 @@ jobs: build-mode: none queries: security-and-quality - name: Perform CodeQL Analysis + if: github.repository == 'AzureCosmosDB/samples' uses: github/codeql-action/analyze@v3 with: category: "/language:javascript-typescript" analyze-dotnet: name: Analyze .NET Samples - if: github.repository == 'AzureCosmosDB/samples' runs-on: ubuntu-latest permissions: security-events: write @@ -79,13 +78,13 @@ jobs: build-mode: none queries: security-and-quality - name: Perform CodeQL Analysis + if: github.repository == 'AzureCosmosDB/samples' uses: github/codeql-action/analyze@v3 with: category: "/language:csharp" analyze-go: name: Analyze Go Samples - if: github.repository == 'AzureCosmosDB/samples' runs-on: ubuntu-latest permissions: security-events: write @@ -102,6 +101,7 @@ jobs: build-mode: autobuild queries: security-and-quality - name: Perform CodeQL Analysis + if: github.repository == 'AzureCosmosDB/samples' uses: github/codeql-action/analyze@v3 with: category: "/language:go"