Test

[iamkabelomoobi]

Summary by Sourcery

CI:

• Introduce a CodeQL analysis GitHub Actions workflow triggered on pushes, pull requests, and a weekly schedule

[sourcery-ai]

Reviewer's Guide

Adds a new GitHub Actions workflow to run CodeQL advanced security scans for JavaScript/TypeScript on main branch pushes, pull requests, and a weekly schedule.

File-Level Changes

Change	Details	Files
Introduce a CodeQL Advanced GitHub Actions workflow for JavaScript/TypeScript.	Create a new workflow triggered on pushes and pull requests to main and on a weekly cron schedule. Configure a single analysis job that runs on Ubuntu by default, with macOS used only when analyzing Swift (not currently in the matrix). Define a matrix with javascript-typescript language and build mode set to none, and wire these matrix values into the CodeQL init step. Add standard steps for checking out the repository, initializing CodeQL, an optional manual build step gated on build-mode == 'manual', and running the CodeQL analyze action with a language-specific category.	.github/workflows/codeql.yml

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey - I've found 2 issues

Prompt for AI Agents

Please address the comments from this code review:

## Individual Comments

### Comment 1
<location> `.github/workflows/codeql.yml:57-58` </location>
<code_context>
+        # If you are analyzing a compiled language, you can modify the 'build-mode' for that language to customize how
+        # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+
+    # Add any setup steps before running the `github/codeql-action/init` action.
</code_context>

<issue_to_address>
**🚨 suggestion (security):** Pin GitHub Actions to commit SHAs instead of floating major versions

Using `@v4` means any future v4 release is automatically trusted. For stronger supply-chain security, pin `actions/checkout` (and other third‑party actions in this workflow) to specific commit SHAs, optionally with a comment noting the corresponding tagged version.

Suggested implementation:

```
    - name: Checkout repository
      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

```

```
    - name: Initialize CodeQL
      uses: github/codeql-action/init@c723c2bcdac4f49a15190108bcede8f971c53e10 # v4.0.0
      with:
        languages: ${{ matrix.language }}

```
</issue_to_address>

### Comment 2
<location> `.github/workflows/codeql.yml:28-31` </location>
<code_context>
+    #   - https://gh.io/supported-runners-and-hardware-resources
+    #   - https://gh.io/using-larger-runners (GitHub.com only)
+    # Consider using larger runners or machines with greater resources for possible analysis time improvements.
+    runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }}
+    permissions:
+      # required for all workflows
</code_context>

<issue_to_address>
**suggestion:** Simplify or align the runner selection with the current language matrix

The `runs-on` condition special-cases `swift`, but the matrix only defines `javascript-typescript`. This is harmless but misleading about supported languages. Either remove the Swift branch for now or add a Swift entry to the matrix so the special-casing is justified.

```suggestion
    #   - https://gh.io/using-larger-runners (GitHub.com only)
    # Consider using larger runners or machines with greater resources for possible analysis time improvements.
    runs-on: ubuntu-latest
    permissions:
```
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}