Conversation
Adds static analysis via GitHub CodeQL for Kotlin code: - Triggers on PR to main/develop and weekly schedule (Mondays 08:00 UTC) - Runs on ubuntu-latest (only Android/JVM compilation needed, no macOS required) - Uses java-kotlin language with manual build mode via assembleDebug - Results surface in Security → Code Scanning Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
Adds a GitHub Actions workflow to run GitHub CodeQL code scanning for the repository’s Kotlin/Java sources, integrating results into GitHub’s Code Scanning UI.
Changes:
- Introduces a new CodeQL workflow triggered on PRs to
main/developand on a weekly cron. - Initializes CodeQL for
java-kotlinand performs a manual Gradle build (sample:android:assembleDebug) before analysis. - Scopes job permissions to enable uploading code-scanning results.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| java-version: | | ||
| 17 | ||
| 21 |
There was a problem hiding this comment.
actions/setup-java expects a single Java version value; using a YAML block here produces one multiline string (e.g., "17\n21") which can cause the setup step to fail or install an unintended version. Use a single version (likely 17 for Android builds) or a matrix to run the workflow separately per JDK version.
| java-version: | | |
| 17 | |
| 21 | |
| java-version: '17' |
| 21 | ||
|
|
||
| - name: Copy CI gradle.properties | ||
| run: mkdir -p ~/.gradle ; cp .github/ci-gradle.properties ~/.gradle/gradle.properties |
There was a problem hiding this comment.
The run: mkdir -p ... ; cp ... uses ;, so the cp will execute even if the mkdir fails. Prefer && or a multiline script with set -euo pipefail so this step fails fast and doesn’t mask environment/setup issues.
| run: mkdir -p ~/.gradle ; cp .github/ci-gradle.properties ~/.gradle/gradle.properties | |
| run: | | |
| set -euo pipefail | |
| mkdir -p ~/.gradle | |
| cp .github/ci-gradle.properties ~/.gradle/gradle.properties |
|
blocked by codeQL not supporting Kotlin 2.3.20 |
Summary
.github/workflows/codeql.ymlfor static security analysis via GitHub CodeQLjava-kotlin— covers all Kotlin source across library and sample modulesmanualwith./gradlew sample:android:assembleDebug(more reliable than autobuild for KMP/Gradle)ubuntu-latest— no macOS runner needed since only Android/JVM targets are compiledmain/developand on a weekly schedule (Mondays 08:00 UTC)Notes
codeql-action@v4throughoutsecurity-events: write+actions: read+contents: readpermissions scoped to the job🤖 Generated with Claude Code