From 12a3a4d4a241dc275155fba0361432877cc69735 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Tue, 26 May 2026 23:46:45 +0000
Subject: [PATCH 1/3] Initial plan


From d95f2222804913326ad6e0e494ac646e20411024 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Tue, 26 May 2026 23:49:56 +0000
Subject: [PATCH 2/3] Add path-filtered CodeQL workflow for content-specific
 analysis

Create .github/workflows/codeql.yml that uses dorny/paths-filter to
detect which language directories changed, then only runs CodeQL
analysis for those languages. This replaces the default setup which
analyzed all languages on every PR regardless of changed files.

On push to main and scheduled runs, all languages are analyzed.
On PRs, only languages with changed files are analyzed.

Co-authored-by: edburns <75821+edburns@users.noreply.github.com>
---
 .githooks/pre-commit         |  0
 .github/workflows/codeql.yml | 93 ++++++++++++++++++++++++++++++++++++
 2 files changed, 93 insertions(+)
 mode change 100644 => 100755 .githooks/pre-commit
 create mode 100644 .github/workflows/codeql.yml

diff --git a/.githooks/pre-commit b/.githooks/pre-commit
old mode 100644
new mode 100755
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
new file mode 100644
index 000000000..f931f76e8
--- /dev/null
+++ b/.github/workflows/codeql.yml
@@ -0,0 +1,93 @@
+name: "CodeQL"
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  schedule:
+    - cron: "0 6 * * 1" # Weekly on Monday at 06:00 UTC
+
+permissions:
+  contents: read
+  security-events: write
+
+jobs:
+  changes:
+    name: Detect changed paths
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: read
+    outputs:
+      java: ${{ steps.filter.outputs.java }}
+      js: ${{ steps.filter.outputs.js }}
+      python: ${{ steps.filter.outputs.python }}
+      go: ${{ steps.filter.outputs.go }}
+      csharp: ${{ steps.filter.outputs.csharp }}
+      actions: ${{ steps.filter.outputs.actions }}
+    steps:
+      - uses: actions/checkout@v4
+      - uses: dorny/paths-filter@v3
+        id: filter
+        with:
+          filters: |
+            java:
+              - 'java/**'
+            js:
+              - 'nodejs/**'
+              - 'scripts/**'
+            python:
+              - 'python/**'
+            go:
+              - 'go/**'
+            csharp:
+              - 'dotnet/**'
+            actions:
+              - '.github/workflows/**'
+              - '.github/actions/**'
+
+  analyze:
+    name: Analyze (${{ matrix.language }})
+    needs: changes
+    if: always()
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      contents: read
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - language: java-kotlin
+            gate: java
+          - language: javascript-typescript
+            gate: js
+          - language: python
+            gate: python
+          - language: go
+            gate: go
+          - language: csharp
+            gate: csharp
+          - language: actions
+            gate: actions
+    steps:
+      - name: Checkout repository
+        if: ${{ needs.changes.outputs[matrix.gate] == 'true' || github.event_name == 'schedule' || github.event_name == 'push' }}
+        uses: actions/checkout@v4
+
+      - name: Initialize CodeQL
+        if: ${{ needs.changes.outputs[matrix.gate] == 'true' || github.event_name == 'schedule' || github.event_name == 'push' }}
+        uses: github/codeql-action/init@v3
+        with:
+          languages: ${{ matrix.language }}
+
+      - name: Autobuild
+        if: ${{ needs.changes.outputs[matrix.gate] == 'true' || github.event_name == 'schedule' || github.event_name == 'push' }}
+        uses: github/codeql-action/autobuild@v3
+
+      - name: Perform CodeQL Analysis
+        if: ${{ needs.changes.outputs[matrix.gate] == 'true' || github.event_name == 'schedule' || github.event_name == 'push' }}
+        uses: github/codeql-action/analyze@v3
+        with:
+          category: "/language:${{ matrix.language }}"

From 05b07b29e8abc4fd7ff9da24852659d98522348b Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Tue, 26 May 2026 23:50:35 +0000
Subject: [PATCH 3/3] Add clarifying comment for if: always() in CodeQL
 workflow

Co-authored-by: edburns <75821+edburns@users.noreply.github.com>
---
 .github/workflows/codeql.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index f931f76e8..d11ffb328 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -50,6 +50,8 @@ jobs:
   analyze:
     name: Analyze (${{ matrix.language }})
     needs: changes
+    # Run even if 'changes' is skipped (e.g. on push/schedule where paths-filter
+    # may not flag changes). Each step has its own gate condition.
     if: always()
     runs-on: ubuntu-latest
     permissions: