codeql: run noop JS analysis on every PR/push to satisfy Scorecard SAST check

[Copilot]

OpenSSF Scorecard's SAST check iterates the last ~30 merge commits and counts how many have a github-code-scanning check run with conclusion success/neutral. The paths: filter on on.push meant commits not touching include/**/source/common/** produced no check run, penalizing the SAST score and generating alert #54.

Changes

• Remove paths: filter from on.push — workflow now triggers on every push to main and every PR, unconditionally.

• Add "Detect C++ changes" step — diffs HEAD against main (PR) or HEAD^1 (push) over source/ and include/, sets CPP_CHANGED=true|false.

• Noop path (CPP_CHANGED=false) — runs only codeql-action/init with languages: javascript (no compiler, no build toolchain, ~30s) then analyze. Skips bind-mounts, disk cleanup, clang install, bazel build, and artifact cleanup entirely.

• C++ path (CPP_CHANGED=true) — existing behavior preserved exactly: clang install, bazel build against computed targets, init with languages: cpp + codeql-config.yml, analyze.

• Perform CodeQL Analysis always runs — this is the step that posts the github-code-scanning check run Scorecard requires.

• Remove assert_lib fallback — the expensive default build target is dropped. The Build step is additionally guarded by env.BUILD_TARGETS != ''; if bazel query yields nothing despite C++ changes, build is skipped but analyze still runs.

Original prompt

Background

.github/workflows/codeql-push.yml is currently gated at the trigger level:

on:
  push:
    paths:
    - include/**
    - source/common/**
    branches:
    - main
  pull_request:
    branches:
    - main

Because most PRs do not touch source/common/** or include/**, CodeQL produces no github-code-scanning check run for them. OpenSSF Scorecard's SAST check (source) iterates the last ~30 merge commits and counts how many have a check run from the github-code-scanning app with conclusion success/neutral. Commits without such a check run drop the SAST score, and Scorecard's SARIF gets uploaded to code scanning, producing alerts like https://github.com/envoyproxy/envoy/security/code-scanning/54.

Goal

Make github/codeql-action/analyze execute (successfully) on every PR and main push, while doing no expensive work when the change does not touch C++ source. Do not run a C++ build for irrelevant changes — assert_lib is too expensive.

Approach

Edit .github/workflows/codeql-push.yml as follows:

1. Remove the paths: filter from on.push so the workflow triggers on every push to main and every pull_request. Keep the existing branches: filters.

2. Add an early step that detects whether the diff against main (or HEAD^1 for push) contains any files under source/** or include/**. Set a job-level output / env var, e.g. CPP_CHANGED=true|false. Reuse the existing git diff --name-only machinery already present in the "Get build targets" step rather than adding a third-party action.

3. Branch the workflow on CPP_CHANGED:

   • When CPP_CHANGED == 'true' (current behavior): run init with languages: cpp, install clang, run the bazel build step against the computed BUILD_TARGETS, then analyze. Keep the existing logic intact.
   • When CPP_CHANGED == 'false' (the noop path): run init with languages: javascript (a build-mode: none language — no compiler/toolchain install, no bazel build, finishes in ~30s) and then analyze. Skip clang install, Get build targets, Build, Clean Artifacts, Free disk space, and the bind-mounts step entirely on this path by guarding them with if: env.CPP_CHANGED == 'true'.

4. Ensure the Initialize CodeQL and Perform CodeQL Analysis steps always run. They are the steps Scorecard cares about — they post the github-code-scanning check run.

5. The existing config-file: ./.github/codeql/codeql-config.yml is C++-specific (path filters, queries for cpp). It's fine to keep applying it on the cpp path. On the javascript noop path, omit the config-file (or pass nothing) so default JS queries run against whatever JS happens to live in the repo. Do not add new javascript queries — the goal is a fast, valid analysis, not findings.

6. Remove the now-unused MINIMAL_BUILD_TARGET=//source/common/common:assert_lib fallback, since the cpp path will only execute when there are real changes that produce real BUILD_TARGETS. If BUILD_TARGETS is empty on the cpp path (e.g. only doc/comment-level changes inside source/), keep a tiny safe fallback or simply skip analyze — but prefer: if CPP_CHANGED=true always run analyze with whatever bazel produced, falling back to the smallest practical target only if absolutely needed.

Acceptance criteria

• Every push to main and every pull_request to main produces a github-code-scanning check run with conclusion success (or neutral).
• Pull requests that touch only docs / CI / mobile / non-C++ paths complete the workflow in a couple of minutes with no clang download and no bazel build.
• Pull requests that touch source/** or include/** retain the current C++ CodeQL behavior unchanged (same languages, same config file, same build command).
• .github/workflows/codeql-daily.yml is unrelated and must not be modified.
• .github/workflows/scorecard.yml is unrelated and must not be modified.

Files to edit

• .github/workflows/codeql-push.yml (only)

Reference

• Scorecard SAST detection logic: https://github.com/ossf/scorecard/blob/main/checks/raw/sast.go
• Alert this is intended to resolve: https://github.com/envoyproxy/envoy/security/code-scanning/54

The following is the prior conversation context from the user's chat exploration (may be truncated):

User: this one is annoying - we intentionally dont run codql on all commits - but then that is greating an alert and reducing our score - how to resolve

Assistant: The alert at envoyproxy/envoy/security/code-scanning/54 is being produced by the OpenSSF Scorecard workflow (.github/workflows/scorecard.yml), not by CodeQL itself. Scorecard's SAST check runs, sees that CodeQL doesn't analyze every PR/commit on main, and uploads that finding as a SARIF result to GitHub code scanning — which is why it shows up under /security/code-scanning.

There are really only two levers here, and the...

This pull request was created from Copilot chat.

[repokitteh-read-only]

As a reminder, PRs marked as draft will not be automatically assigned reviewers,
or be handled by maintainer-oncall triage.

Please mark your PR as ready when you want it to be reviewed!

🐱

Caused by: #44769 was opened by Copilot.

see: more, trace.