Fix Codacy workflow: Explicitly specify analysis tools to prevent PMD execution

[Copilot]

The Codacy Security Scan workflow was failing with PMD "No rules found" errors because it lacked explicit tool specification, causing Codacy to ignore .codacy.yml and run PMD by default on a JavaScript/TypeScript repository.

Changes

• Added tool: eslint,eslint-typescript,shellcheck parameter to .github/workflows/codacy.yml to explicitly specify analyzers
• Added exclude: '.cursor/**,.gitmodules' parameter to align with codacy-analysis.yml configuration

# .github/workflows/codacy.yml (line 59)
- name: Run Codacy Analysis CLI
  uses: codacy/codacy-analysis-cli-action@d840f886c4bd4edc059706d09c6a1586111c540b
  with:
    project-token: ${{ secrets.CODACY_PROJECT_TOKEN }}
    # ... other parameters ...
    tool: eslint,eslint-typescript,shellcheck
    exclude: '.cursor/**,.gitmodules'

This matches the working configuration in codacy-analysis.yml and prevents the CLI from attempting Java-specific analysis on a Node.js codebase.

Original prompt

Problem

The Codacy Security Scan workflow (.github/workflows/codacy.yml) is failing because it doesn't specify which tools to run, causing Codacy to attempt running PMD/PMD-legacy by default. This ignores the existing .codacy.yml configuration that already disables PMD.

The repository has already disabled PMD in .codacy.yml:

engines:
  pmd:
    enabled: false
  pmd-legacy:
    enabled: false

However, the .github/workflows/codacy.yml workflow at line 59 does NOT specify the tool: parameter in the Codacy Analysis CLI action, causing it to ignore the .codacy.yml configuration and attempt to run PMD anyway.

This causes the following error repeatedly:

ERROR c.c.a.c.a.CodacyPluginsAnalyser:30 - Failed analysis for pmd
java.lang.Throwable:
Docker exited with code 1
stderr: Jan 21, 2026 6:32:08 AM net.sourceforge.pmd.RulesetsFactoryUtils getRuleSets
SEVERE: No rules found. Maybe you misspelled a rule name? (null)

Solution Required

Update .github/workflows/codacy.yml to match the working configuration in .github/workflows/codacy-analysis.yml by adding the tool: parameter to explicitly specify only the tools relevant to this JavaScript/TypeScript repository.

In .github/workflows/codacy.yml at line 59, add the following parameters to the codacy/codacy-analysis-cli-action step:

tool: eslint,eslint-typescript,shellcheck
exclude: '.cursor/**,.gitmodules'

This will:

1. Prevent Codacy from attempting to run PMD/PMD-legacy
2. Only run tools appropriate for JavaScript/TypeScript codebases
3. Match the configuration that already works in codacy-analysis.yml
4. Respect the existing .codacy.yml exclusions

Files to Modify

• .github/workflows/codacy.yml - Add tool: and exclude: parameters to the Codacy Analysis CLI action step (around line 64)

Expected Result

After this change, the Codacy Security Scan workflow will:

• Stop attempting to run PMD analysis
• Only analyze code using eslint, eslint-typescript, and shellcheck
• Successfully complete without PMD-related errors
• Generate and upload SARIF results correctly

This pull request was created from Copilot chat.

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

[codacy-production]

Codacy's Analysis Summary

0 new issue (≤ 0 issue)
0 new security issue

Review Pull Request in Codacy →

✨ AI Reviewer available: add the codacy-review label to get contextual insights without leaving GitHub.

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}