From 287dd99b49972d0e958b45378e44719cf249e526 Mon Sep 17 00:00:00 2001
From: Shahar Epstein <60007259+shahar1@users.noreply.github.com>
Date: Fri, 5 Jun 2026 19:27:46 +0300
Subject: [PATCH 1/2] Extend CodeQL language gating to push-to-main events
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

running all five languages unconditionally.  Extend the detect-languages
job to use the GitHub compare API (before…after) for push events, so a
docs-only or single-language merge to main no longer fans out all five
CodeQL jobs.  schedule runs are unchanged — they still scan every
language to maintain periodic full-branch coverage.  Falls back to all
languages when the compare API is unavailable or the before SHA is all
zeros (branch creation).

related: #67972
---
 .github/workflows/codeql-analysis.yml | 27 +++++++++++++++++++++------
 1 file changed, 21 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 8ef9ddbe36097..b3ebf1eaaff3d 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -22,7 +22,7 @@ on:  # yamllint disable-line rule:truthy
   pull_request:
     branches: ['main', 'v[0-9]+-[0-9]+-test', 'v[0-9]+-[0-9]+-stable']
   push:
-    branches: [main]
+    branches: ['main', 'v[0-9]+-[0-9]+-test', 'v[0-9]+-[0-9]+-stable']
   schedule:
     - cron: '0 2 * * *'
 
@@ -48,18 +48,33 @@ jobs:
           GH_TOKEN: ${{ github.token }}
           EVENT_NAME: ${{ github.event_name }}
           PR_NUMBER: ${{ github.event.pull_request.number }}
+          BEFORE_SHA: ${{ github.event.before }}
+          AFTER_SHA: ${{ github.event.after }}
           REPOSITORY: ${{ github.repository }}
-        # On `pull_request` we only scan the languages whose files actually changed in the PR.
-        # On `push` (to main) and `schedule` we always scan every language to keep full main coverage.
+        # On `pull_request` and `push` we only scan the languages whose files actually changed.
+        # On `schedule` we always scan every language to keep full periodic coverage.
         run: |
           set -euo pipefail
           all_languages='["python","javascript","actions","go","java"]'
-          if [[ "${EVENT_NAME}" != "pull_request" ]]; then
+          if [[ "${EVENT_NAME}" == "schedule" ]]; then
             echo "languages=${all_languages}" >> "${GITHUB_OUTPUT}"
             exit 0
           fi
-          pr_files_path="repos/${REPOSITORY}/pulls/${PR_NUMBER}/files"
-          changed_files="$(gh api --paginate "${pr_files_path}" --jq '.[].filename')"
+          if [[ "${EVENT_NAME}" == "push" ]]; then
+            changed_files="$(gh api "repos/${REPOSITORY}/compare/${BEFORE_SHA}...${AFTER_SHA}" \
+              --jq '.files[].filename')" || true
+            # Fall back to a full scan if the compare API call failed or returned nothing —
+            # e.g. a force-push, or a newly created release branch whose before SHA is all
+            # zeros (no base commit to diff against).
+            if [[ -z "${changed_files}" ]]; then
+              echo "languages=${all_languages}" >> "${GITHUB_OUTPUT}"
+              exit 0
+            fi
+          else
+            # pull_request
+            changed_files="$(gh api --paginate \
+              "repos/${REPOSITORY}/pulls/${PR_NUMBER}/files" --jq '.[].filename')"
+          fi
           languages=()
           grep -Eiq '\.(py|pyi)$'                        <<< "${changed_files}" && languages+=("python")
           grep -Eiq '\.(js|jsx|mjs|cjs|ts|tsx|vue)$'     <<< "${changed_files}" && languages+=("javascript")

From 2c0cda3ae9f606c87bbd400832d15d3cc5bed9e6 Mon Sep 17 00:00:00 2001
From: Shahar Epstein <60007259+shahar1@users.noreply.github.com>
Date: Fri, 5 Jun 2026 20:07:12 +0300
Subject: [PATCH 2/2] Fall back to full CodeQL scan when push compare hits the
 300-file cap
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The GitHub compare API returns at most 300 changed files and does not
paginate the file list (only commits paginate), so a merge touching more
than 300 files truncates the list and could under-detect a changed
language. Detect that cap and fall back to scanning every language —
release branches have no daily schedule full-scan to back them up.
---
 .github/workflows/codeql-analysis.yml | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index b3ebf1eaaff3d..6856afa12b14c 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -63,10 +63,13 @@ jobs:
           if [[ "${EVENT_NAME}" == "push" ]]; then
             changed_files="$(gh api "repos/${REPOSITORY}/compare/${BEFORE_SHA}...${AFTER_SHA}" \
               --jq '.files[].filename')" || true
-            # Fall back to a full scan if the compare API call failed or returned nothing —
-            # e.g. a force-push, or a newly created release branch whose before SHA is all
-            # zeros (no base commit to diff against).
-            if [[ -z "${changed_files}" ]]; then
+            num_files="$(printf '%s\n' "${changed_files}" | grep -c . || true)"
+            # Fall back to a full scan if the compare call failed, returned nothing, or hit the
+            # API's 300-file cap. The compare API does not paginate files (only commits), so a
+            # merge of >300 files truncates the list and could under-detect a changed language;
+            # release branches have no daily schedule full-scan to back them up. Empty also covers
+            # a force-push or a newly created branch whose before SHA is all zeros (no base commit).
+            if [[ -z "${changed_files}" || "${num_files}" -ge 300 ]]; then
               echo "languages=${all_languages}" >> "${GITHUB_OUTPUT}"
               exit 0
             fi