Skip to content

Use linked CodeQL CLI for Kotlin 2.3.x support#197

Merged
jeremy merged 2 commits intomainfrom
kotlin-codeql
Mar 18, 2026
Merged

Use linked CodeQL CLI for Kotlin 2.3.x support#197
jeremy merged 2 commits intomainfrom
kotlin-codeql

Conversation

@jeremy
Copy link
Copy Markdown
Member

@jeremy jeremy commented Mar 18, 2026
edited
Loading

Summary

Also discovered: the repo runs duplicate CodeQL checks — default setup (org-controlled) produces Analyze (*) jobs alongside our custom workflow's CodeQL (*) jobs. The org config can't be disabled per-repo without losing secret scanning/GHAS. Noted in #198.

Test plan

  • CodeQL (java-kotlin) job no longer appears in CI
  • Analyze (java-kotlin) from default setup is unaffected (currently passing)
  • All other checks pass

@jeremy
Use linked CodeQL CLI for Kotlin 2.3.x support
0239d31 
CodeQL CLI 2.24.3 doesn't support Kotlin 2.3.20 yet. Using `tools: linked`
tells the action to use its bundled CLI which includes pre-release support.

Ref: github/codeql#20661
@jeremy jeremy requested a review from a team as a code owner March 18, 2026 00:42
Copilot AI review requested due to automatic review settings March 18, 2026 00:42
@github-actions
Copy link
Copy Markdown

github-actions bot commented Mar 18, 2026
edited
Loading

Sensitive Change Detection (shadow mode)

This PR modifies control-plane files:

  • .github/workflows/codeql.yml

Shadow mode — this check is informational only. When activated, changes to these paths will require approval from a maintainer.

@github-actions github-actions bot added github-actions Pull requests that update GitHub Actions bug Something isn't working labels Mar 18, 2026
cubic-dev-ai[bot]
cubic-dev-ai bot reviewed Mar 18, 2026
View reviewed changes
Copy link
Copy Markdown

@cubic-dev-ai cubic-dev-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 1 file

Copilot AI reviewed Mar 18, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the CodeQL GitHub Actions workflow to use the action’s linked (bundled) CodeQL CLI so the java-kotlin analysis can handle Kotlin 2.3.x, addressing current CI failures.

Changes:

  • Configure the CodeQL init step in the analyze job to use tools: linked for newer Kotlin support.
  • Document the rationale inline (reference to github/codeql#20661).

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@jeremy
Disable java-kotlin CodeQL analysis until Kotlin 2.3.20 is supported
b6ee129 
CodeQL CLI 2.24.3 doesn't support Kotlin 2.3.20 (released 2026-03-16).
No CodeQL version — stable, linked, or nightly — has the fix yet.

Disables java-kotlin in the analysis matrix rather than downgrading Kotlin
or swallowing build failures. The Kotlin SDK build and tests still run
via test.yml.

Tracking: github/codeql#21484
@jeremy jeremy requested a review from Copilot March 18, 2026 16:24
Copilot AI reviewed Mar 18, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR is intended to unblock the java-kotlin CodeQL workflow for Kotlin 2.3.x by adjusting how CodeQL tooling is provisioned, so CI can run successfully while retaining Kotlin security scanning.

Changes:

  • Disables java-kotlin from the CodeQL language matrix (both default and PR-changes-based paths).
  • Adds comments indicating Kotlin 2.3.20 is not yet supported (with an upstream issue reference).

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@jeremy jeremy merged commit 538aff4 into main Mar 18, 2026
54 of 55 checks passed
@jeremy jeremy deleted the kotlin-codeql branch March 18, 2026 18:13
jeremy added a commit that referenced this pull request Mar 18, 2026
@jeremy
Merge remote-tracking branch 'origin/main' into python
a8c4846 
* origin/main:
  Add hill chart API support (GetHillChart, UpdateHillChartSettings) (#195)
  Switch CODEOWNERS from sip to cli team (#199)
  Use linked CodeQL CLI for Kotlin 2.3.x support (#197)
  Fix escaped markdown in spec-change-impact PR comments (#196)
  Add on_hold property to CardColumn (#188)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] left review comments

Assignees

No one assigned

Labels

bug Something isn't working github-actions Pull requests that update GitHub Actions

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jeremy