Skip to content

Test#2

Merged
iamkabelomoobi merged 2 commits intomainfrom
test
Feb 21, 2026
Merged

Test#2
iamkabelomoobi merged 2 commits intomainfrom
test

Conversation

@iamkabelomoobi
Copy link
Owner

@iamkabelomoobi iamkabelomoobi commented Feb 21, 2026

Summary by Sourcery

CI:

  • Introduce a CodeQL analysis GitHub Actions workflow triggered on pushes, pull requests, and a weekly schedule

@sourcery-ai
Copy link

sourcery-ai bot commented Feb 21, 2026

Reviewer's Guide

Adds a new GitHub Actions workflow to run CodeQL advanced security scans for JavaScript/TypeScript on main branch pushes, pull requests, and a weekly schedule.

File-Level Changes

Change Details Files
Introduce a CodeQL Advanced GitHub Actions workflow for JavaScript/TypeScript.
  • Create a new workflow triggered on pushes and pull requests to main and on a weekly cron schedule.
  • Configure a single analysis job that runs on Ubuntu by default, with macOS used only when analyzing Swift (not currently in the matrix).
  • Define a matrix with javascript-typescript language and build mode set to none, and wire these matrix values into the CodeQL init step.
  • Add standard steps for checking out the repository, initializing CodeQL, an optional manual build step gated on build-mode == 'manual', and running the CodeQL analyze action with a language-specific category.
.github/workflows/codeql.yml

Tips and commands

Interacting with Sourcery

  • Trigger a new review: Comment @sourcery-ai review on the pull request.
  • Continue discussions: Reply directly to Sourcery's review comments.
  • Generate a GitHub issue from a review comment: Ask Sourcery to create an
    issue from a review comment by replying to it. You can also reply to a
    review comment with @sourcery-ai issue to create an issue from it.
  • Generate a pull request title: Write @sourcery-ai anywhere in the pull
    request title to generate a title at any time. You can also comment
    @sourcery-ai title on the pull request to (re-)generate the title at any time.
  • Generate a pull request summary: Write @sourcery-ai summary anywhere in
    the pull request body to generate a PR summary at any time exactly where you
    want it. You can also comment @sourcery-ai summary on the pull request to
    (re-)generate the summary at any time.
  • Generate reviewer's guide: Comment @sourcery-ai guide on the pull
    request to (re-)generate the reviewer's guide at any time.
  • Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
    pull request to resolve all Sourcery comments. Useful if you've already
    addressed all the comments and don't want to see them anymore.
  • Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
    request to dismiss all existing Sourcery reviews. Especially useful if you
    want to start fresh with a new review - don't forget to comment
    @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

  • Enable or disable review features such as the Sourcery-generated pull request
    summary, the reviewer's guide, and others.
  • Change the review language.
  • Add, remove or edit custom review instructions.
  • Adjust other review settings.

Getting Help

Copy link

@sourcery-ai sourcery-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey - I've found 2 issues

Prompt for AI Agents
Please address the comments from this code review:

## Individual Comments

### Comment 1
<location> `.github/workflows/codeql.yml:57-58` </location>
<code_context>
+        # If you are analyzing a compiled language, you can modify the 'build-mode' for that language to customize how
+        # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+
+    # Add any setup steps before running the `github/codeql-action/init` action.
</code_context>

<issue_to_address>
**🚨 suggestion (security):** Pin GitHub Actions to commit SHAs instead of floating major versions

Using `@v4` means any future v4 release is automatically trusted. For stronger supply-chain security, pin `actions/checkout` (and other third‑party actions in this workflow) to specific commit SHAs, optionally with a comment noting the corresponding tagged version.

Suggested implementation:

```
    - name: Checkout repository
      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

```

```
    - name: Initialize CodeQL
      uses: github/codeql-action/init@c723c2bcdac4f49a15190108bcede8f971c53e10 # v4.0.0
      with:
        languages: ${{ matrix.language }}

```
</issue_to_address>

### Comment 2
<location> `.github/workflows/codeql.yml:28-31` </location>
<code_context>
+    #   - https://gh.io/supported-runners-and-hardware-resources
+    #   - https://gh.io/using-larger-runners (GitHub.com only)
+    # Consider using larger runners or machines with greater resources for possible analysis time improvements.
+    runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }}
+    permissions:
+      # required for all workflows
</code_context>

<issue_to_address>
**suggestion:** Simplify or align the runner selection with the current language matrix

The `runs-on` condition special-cases `swift`, but the matrix only defines `javascript-typescript`. This is harmless but misleading about supported languages. Either remove the Swift branch for now or add a Swift entry to the matrix so the special-casing is justified.

```suggestion
    #   - https://gh.io/using-larger-runners (GitHub.com only)
    # Consider using larger runners or machines with greater resources for possible analysis time improvements.
    runs-on: ubuntu-latest
    permissions:
```
</issue_to_address>

Sourcery is free for open source - if you like our reviews please consider sharing them ✨
Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.

@iamkabelomoobi iamkabelomoobi merged commit 3ec9875 into main Feb 21, 2026
1 of 3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant