diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 5b2256f59..e10ffec2d 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -4,7 +4,7 @@ # # Tuned for MAXIMUM security signal with INTEGRATED AUTOFIX: # - All repo languages covered (Python, JS/TS, GitHub Actions; C/C++ via -# manual build when present). HTML is analyzed as part of +# buildless analysis). HTML is analyzed as part of # javascript-typescript. # - Query packs: security-extended + security-and-quality + experimental # security queries, plus community security packs (when available). @@ -118,7 +118,7 @@ jobs: os: ubuntu-latest - language: c-cpp - build-mode: autobuild + build-mode: none os: ubuntu-latest timeout-minutes: 360 timeout-minutes: 360 diff --git a/tests/test_codeql_workflow_paths_ignore.py b/tests/test_codeql_workflow_paths_ignore.py index 125326db7..665da6902 100644 --- a/tests/test_codeql_workflow_paths_ignore.py +++ b/tests/test_codeql_workflow_paths_ignore.py @@ -18,6 +18,20 @@ def test_codeql_workflow_ignores_issue_template_changes() -> None: assert ".github/ISSUE_TEMPLATE/**" in workflow["on"]["pull_request"]["paths-ignore"] +@pytest.mark.unit +def test_codeql_c_cpp_uses_buildless_mode() -> None: + workflow_path = Path(__file__).resolve().parents[1] / ".github" / "workflows" / "codeql.yml" + workflow = yaml.load(workflow_path.read_text(encoding="utf-8"), Loader=yaml.BaseLoader) + + c_cpp_entry = next( + entry for entry in workflow["jobs"]["analyze"]["strategy"]["matrix"]["include"] if entry["language"] == "c-cpp" + ) + + assert ( + c_cpp_entry["build-mode"] == "none" + ), "The c-cpp CodeQL lane must stay buildless so it does not invoke the repo root Makefile via autobuild." + + @pytest.mark.unit def test_codeql_autofix_ref_step_avoids_unbound_shell_vars() -> None: workflow_path = Path(__file__).resolve().parents[1] / ".github" / "workflows" / "codeql.yml" @@ -101,6 +115,6 @@ def test_codeql_config_has_document_start_and_no_trailing_whitespace() -> None: content = config_path.read_text(encoding="utf-8") assert content.startswith("---\n"), "CodeQL config must keep its YAML document start marker." - assert all(line == line.rstrip() for line in content.splitlines()), ( - "CodeQL config should not contain trailing whitespace." - ) + assert all( + line == line.rstrip() for line in content.splitlines() + ), "CodeQL config should not contain trailing whitespace."