From f03f06fdf3e8532245fc12ad98546a1feb37a1bf Mon Sep 17 00:00:00 2001 From: safaiyeh Date: Sat, 27 Dec 2025 14:18:25 -0800 Subject: [PATCH 1/9] fix: configure CodeQL with buildless extraction for java-kotlin - Use build-mode: none for java-kotlin to avoid Gradle build issues - Set up Java 17 to ensure Gradle compatibility if needed - Add javascript-typescript analysis for TypeScript source code Fixes CodeQL autobuild failure caused by Gradle 9.2.1 requiring JVM 17+ while autobuild incorrectly selected JVM 8 based on sourceCompatibility. --- .github/workflows/codeql.yml | 51 ++++++++++++++++++++++++++++++++++++ 1 file changed, 51 insertions(+) create mode 100644 .github/workflows/codeql.yml diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 00000000..a3cb013b --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,51 @@ +name: "CodeQL" + +on: + push: + branches: [master] + pull_request: + branches: [master] + schedule: + - cron: "30 1 * * 0" + +jobs: + analyze: + name: Analyze (${{ matrix.language }}) + runs-on: ubuntu-latest + permissions: + security-events: write + packages: read + actions: read + contents: read + + strategy: + fail-fast: false + matrix: + include: + - language: java-kotlin + build-mode: none + - language: javascript-typescript + build-mode: none + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Set up Java 17 + if: matrix.language == 'java-kotlin' + uses: actions/setup-java@v4 + with: + distribution: "temurin" + java-version: "17" + + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: ${{ matrix.language }} + build-mode: ${{ matrix.build-mode }} + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v3 + with: + category: "/language:${{ matrix.language }}" + From dd16e54051d71f8f83ccf846dbeae738a4fac3db Mon Sep 17 00:00:00 2001 From: safaiyeh Date: Sat, 27 Dec 2025 14:20:55 -0800 Subject: [PATCH 2/9] chore: remove javascript-typescript from CodeQL workflow --- .github/workflows/codeql.yml | 18 ++++-------------- 1 file changed, 4 insertions(+), 14 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index a3cb013b..ac6721c2 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -10,7 +10,7 @@ on: jobs: analyze: - name: Analyze (${{ matrix.language }}) + name: Analyze (java-kotlin) runs-on: ubuntu-latest permissions: security-events: write @@ -18,21 +18,11 @@ jobs: actions: read contents: read - strategy: - fail-fast: false - matrix: - include: - - language: java-kotlin - build-mode: none - - language: javascript-typescript - build-mode: none - steps: - name: Checkout repository uses: actions/checkout@v4 - name: Set up Java 17 - if: matrix.language == 'java-kotlin' uses: actions/setup-java@v4 with: distribution: "temurin" @@ -41,11 +31,11 @@ jobs: - name: Initialize CodeQL uses: github/codeql-action/init@v3 with: - languages: ${{ matrix.language }} - build-mode: ${{ matrix.build-mode }} + languages: java-kotlin + build-mode: none - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v3 with: - category: "/language:${{ matrix.language }}" + category: "/language:java-kotlin" From 8e048d549be4f427f077b26c3c37c1a5750dc734 Mon Sep 17 00:00:00 2001 From: safaiyeh Date: Sat, 27 Dec 2025 14:23:43 -0800 Subject: [PATCH 3/9] fix: use manual build with proper React Native setup for CodeQL - Set up Node.js and install dependencies - Build from example/android which includes the library - This allows CodeQL to trace the Kotlin compilation --- .github/workflows/codeql.yml | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index ac6721c2..b5c45d39 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -28,11 +28,25 @@ jobs: distribution: "temurin" java-version: "17" + - name: Set up Node.js + uses: actions/setup-node@v4 + with: + node-version: "20" + + - name: Install dependencies + run: | + yarn install + cd example && yarn install + - name: Initialize CodeQL uses: github/codeql-action/init@v3 with: languages: java-kotlin - build-mode: none + + - name: Build Android + run: | + cd example/android + ./gradlew --no-daemon assembleDebug - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v3 From b1383aceedbd6ca1960e74bebf8e7139f136807a Mon Sep 17 00:00:00 2001 From: safaiyeh Date: Sat, 27 Dec 2025 14:26:20 -0800 Subject: [PATCH 4/9] fix: generate Gradle wrapper before build The gradle-wrapper.jar is not committed to the repo --- .github/workflows/codeql.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index b5c45d39..69703b79 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -46,6 +46,7 @@ jobs: - name: Build Android run: | cd example/android + gradle wrapper ./gradlew --no-daemon assembleDebug - name: Perform CodeQL Analysis From 85f666b2042fc39ae883fa0fc8ee8a45318829ac Mon Sep 17 00:00:00 2001 From: safaiyeh Date: Sat, 27 Dec 2025 14:30:12 -0800 Subject: [PATCH 5/9] chore: add caching and use latest LTS Node - Add Gradle caching via setup-java - Add Yarn caching via setup-node - Use lts/* for latest LTS Node version - Use --frozen-lockfile for reproducible installs --- .github/workflows/codeql.yml | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 69703b79..b75647b3 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -27,16 +27,20 @@ jobs: with: distribution: "temurin" java-version: "17" + cache: "gradle" - name: Set up Node.js uses: actions/setup-node@v4 with: - node-version: "20" + node-version: "lts/*" + cache: "yarn" - - name: Install dependencies - run: | - yarn install - cd example && yarn install + - name: Install root dependencies + run: yarn install --frozen-lockfile + + - name: Install example dependencies + run: yarn install --frozen-lockfile + working-directory: example - name: Initialize CodeQL uses: github/codeql-action/init@v3 From 601bb5d88533e2167b62467df54799259d8a9520 Mon Sep 17 00:00:00 2001 From: safaiyeh Date: Sat, 27 Dec 2025 14:34:55 -0800 Subject: [PATCH 6/9] fix: download Gradle wrapper jar instead of using system Gradle The system Gradle 9.2.1 has Kotlin 2.2.x which is incompatible with React Native's gradle-plugin that requires Kotlin 1.9.x. Download the wrapper jar for Gradle 8.10.2 directly instead. --- .github/workflows/codeql.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index b75647b3..7e4e2941 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -50,7 +50,8 @@ jobs: - name: Build Android run: | cd example/android - gradle wrapper + mkdir -p gradle/wrapper + curl -L -o gradle/wrapper/gradle-wrapper.jar https://github.com/gradle/gradle/raw/v8.10.2/gradle/wrapper/gradle-wrapper.jar ./gradlew --no-daemon assembleDebug - name: Perform CodeQL Analysis From 58a859b77bc0e237d0d7a9b51746d52c85028084 Mon Sep 17 00:00:00 2001 From: safaiyeh Date: Sat, 27 Dec 2025 14:36:40 -0800 Subject: [PATCH 7/9] chore: use gradle/actions/setup-gradle for proper Gradle setup with caching Replaces manual wrapper jar download with the official Gradle action which handles wrapper installation and provides automatic caching. --- .github/workflows/codeql.yml | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 7e4e2941..09fc66e4 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -27,7 +27,9 @@ jobs: with: distribution: "temurin" java-version: "17" - cache: "gradle" + + - name: Set up Gradle + uses: gradle/actions/setup-gradle@v4 - name: Set up Node.js uses: actions/setup-node@v4 @@ -48,11 +50,8 @@ jobs: languages: java-kotlin - name: Build Android - run: | - cd example/android - mkdir -p gradle/wrapper - curl -L -o gradle/wrapper/gradle-wrapper.jar https://github.com/gradle/gradle/raw/v8.10.2/gradle/wrapper/gradle-wrapper.jar - ./gradlew --no-daemon assembleDebug + run: ./gradlew --no-daemon assembleDebug + working-directory: example/android - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v3 From 47802c5ee40483382d7a6cde009b6e412b9562b8 Mon Sep 17 00:00:00 2001 From: safaiyeh Date: Sat, 27 Dec 2025 14:39:14 -0800 Subject: [PATCH 8/9] fix: specify gradle-version and use gradle command directly The wrapper jar is not in the repo, so use the installed Gradle directly instead of relying on the wrapper. --- .github/workflows/codeql.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 09fc66e4..ea57d268 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -30,6 +30,8 @@ jobs: - name: Set up Gradle uses: gradle/actions/setup-gradle@v4 + with: + gradle-version: "8.10.2" - name: Set up Node.js uses: actions/setup-node@v4 @@ -50,7 +52,7 @@ jobs: languages: java-kotlin - name: Build Android - run: ./gradlew --no-daemon assembleDebug + run: gradle --no-daemon assembleDebug working-directory: example/android - name: Perform CodeQL Analysis From 8347cc795fb56047a8ed31bc48dd0f5983a1217e Mon Sep 17 00:00:00 2001 From: safaiyeh Date: Sat, 27 Dec 2025 14:53:26 -0800 Subject: [PATCH 9/9] chore: use GitHub's advanced setup template with manual java-kotlin build - Matrix strategy for java-kotlin, javascript-typescript, and ruby - Manual build mode for java-kotlin with proper Gradle setup - build-mode: none for JS/TS and Ruby - Updated to codeql-action v4 --- .github/workflows/codeql.yml | 42 ++++++++++++++++++++++++------------ 1 file changed, 28 insertions(+), 14 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index ea57d268..83c1b97a 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -1,4 +1,4 @@ -name: "CodeQL" +name: "CodeQL Advanced" on: push: @@ -6,11 +6,11 @@ on: pull_request: branches: [master] schedule: - - cron: "30 1 * * 0" + - cron: "42 9 * * 1" jobs: analyze: - name: Analyze (java-kotlin) + name: Analyze (${{ matrix.language }}) runs-on: ubuntu-latest permissions: security-events: write @@ -18,45 +18,59 @@ jobs: actions: read contents: read + strategy: + fail-fast: false + matrix: + include: + - language: java-kotlin + build-mode: manual + - language: javascript-typescript + build-mode: none + - language: ruby + build-mode: none + steps: - name: Checkout repository uses: actions/checkout@v4 - name: Set up Java 17 + if: matrix.language == 'java-kotlin' uses: actions/setup-java@v4 with: distribution: "temurin" java-version: "17" - name: Set up Gradle + if: matrix.language == 'java-kotlin' uses: gradle/actions/setup-gradle@v4 with: gradle-version: "8.10.2" - name: Set up Node.js + if: matrix.language == 'java-kotlin' uses: actions/setup-node@v4 with: node-version: "lts/*" cache: "yarn" - - name: Install root dependencies - run: yarn install --frozen-lockfile - - - name: Install example dependencies - run: yarn install --frozen-lockfile - working-directory: example + - name: Install dependencies + if: matrix.language == 'java-kotlin' + run: | + yarn install --frozen-lockfile + cd example && yarn install --frozen-lockfile - name: Initialize CodeQL - uses: github/codeql-action/init@v3 + uses: github/codeql-action/init@v4 with: - languages: java-kotlin + languages: ${{ matrix.language }} + build-mode: ${{ matrix.build-mode }} - name: Build Android + if: matrix.build-mode == 'manual' run: gradle --no-daemon assembleDebug working-directory: example/android - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 + uses: github/codeql-action/analyze@v4 with: - category: "/language:java-kotlin" - + category: "/language:${{ matrix.language }}"