From 8a447674c41811f1f0e5b9d5e21a38d34d843f4c Mon Sep 17 00:00:00 2001 From: tristandubbeld Date: Fri, 21 Nov 2025 10:38:34 +0100 Subject: [PATCH 1/5] perf(ci): optimize CodeQL analysis performance with query filtering and path exclusions --- .github/codeql/codeql-config.yml | 31 +++++++++++++++++++++++++++++-- .github/workflows/codeql.yml | 18 +++++++++++++++++- 2 files changed, 46 insertions(+), 3 deletions(-) diff --git a/.github/codeql/codeql-config.yml b/.github/codeql/codeql-config.yml index df477b4883a..afededb1d39 100644 --- a/.github/codeql/codeql-config.yml +++ b/.github/codeql/codeql-config.yml @@ -1,7 +1,7 @@ name: "CodeQL Config" -# Exclude paths to reduce disk space usage during CodeQL analysis -# This prevents analyzing unnecessary files that consume disk space +# Exclude paths to reduce disk space usage and improve analysis performance +# This prevents analyzing unnecessary files that consume disk space and time paths-ignore: # Dependencies - don't analyze third-party code - "**/node_modules" @@ -16,6 +16,23 @@ paths-ignore: - "**/www" - "**/release" + # Test files - exclude test code to improve performance + # Test files rarely contain security vulnerabilities that matter for production + - "**/*.test.ts" + - "**/*.test.tsx" + - "**/*.spec.ts" + - "**/*.spec.tsx" + - "**/*.test.js" + - "**/*.test.jsx" + - "**/*.spec.js" + - "**/*.spec.jsx" + + # Storybook files + - "**/*.stories.tsx" + - "**/*.stories.ts" + - "**/*.stories.jsx" + - "**/*.stories.js" + # Test fixtures and snapshots - "**/__mocks__" - "**/__image_snapshots__" @@ -26,6 +43,16 @@ paths-ignore: - "**/test/**/*.svg" - "**/integration-tests/**/*.png" + # Test utilities and configs + - "**/test-utils/**" + - "**/testing/**" + - "**/jest.config.*" + - "**/jest.setup.*" + - "**/coverage/**" + + # Generated type definition files + - "**/*.d.ts" + # Example and playground files - not production code - "**/example" - "**/examples" diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 5e1e3aa8d9c..97e9ef5b2db 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -12,6 +12,7 @@ jobs: analyze: name: Analyze (${{ matrix.language }}) runs-on: ubuntu-latest + timeout-minutes: 60 permissions: # required for all workflows security-events: write @@ -68,13 +69,28 @@ jobs: uses: actions/checkout@v4 # Initializes the CodeQL tools for scanning. - - name: Initialize CodeQL + # Use security-extended query pack for PRs (faster), security-and-quality for main/scheduled (comprehensive) + - name: Initialize CodeQL (PR - security-extended) + if: github.event_name == 'pull_request' uses: github/codeql-action/init@v4 with: languages: ${{ matrix.language }} build-mode: ${{ matrix.build-mode }} # Use our custom config file to exclude unnecessary files config-file: ./.github/codeql/codeql-config.yml + # Use security-extended for faster PR analysis + queries: +security-extended + + - name: Initialize CodeQL (main/scheduled - security-and-quality) + if: github.event_name != 'pull_request' + uses: github/codeql-action/init@v4 + with: + languages: ${{ matrix.language }} + build-mode: ${{ matrix.build-mode }} + # Use our custom config file to exclude unnecessary files + config-file: ./.github/codeql/codeql-config.yml + # Use security-and-quality for comprehensive analysis on main branch and scheduled runs + queries: +security-and-quality - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v4 From 949881ec3febad1fd135e7a329626b12f7f7c087 Mon Sep 17 00:00:00 2001 From: tristandubbeld Date: Fri, 21 Nov 2025 11:33:40 +0100 Subject: [PATCH 2/5] fix(ci): correct CodeQL query pack syntax to use replacement instead of addition --- .github/workflows/codeql.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 97e9ef5b2db..ff00b59d231 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -79,7 +79,7 @@ jobs: # Use our custom config file to exclude unnecessary files config-file: ./.github/codeql/codeql-config.yml # Use security-extended for faster PR analysis - queries: +security-extended + queries: security-extended - name: Initialize CodeQL (main/scheduled - security-and-quality) if: github.event_name != 'pull_request' @@ -90,7 +90,7 @@ jobs: # Use our custom config file to exclude unnecessary files config-file: ./.github/codeql/codeql-config.yml # Use security-and-quality for comprehensive analysis on main branch and scheduled runs - queries: +security-and-quality + queries: security-and-quality - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v4 From c89448eb533fdf89248e13e59d1ff630c3080d5a Mon Sep 17 00:00:00 2001 From: tristandubbeld Date: Fri, 21 Nov 2025 13:43:53 +0100 Subject: [PATCH 3/5] perf(ci): use proper CodeQL config format and increase RAM allocation for faster query execution --- .github/workflows/codeql.yml | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index ff00b59d231..8d991ca1630 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -78,8 +78,13 @@ jobs: build-mode: ${{ matrix.build-mode }} # Use our custom config file to exclude unnecessary files config-file: ./.github/codeql/codeql-config.yml - # Use security-extended for faster PR analysis - queries: security-extended + # Override queries to use security-extended for faster PR analysis + # Format per GitHub docs: https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning + config: | + queries: + - uses: security-extended + # Increase RAM allocation to allow more threads (reduces "Compiling in 3 threads due to RAM limits") + ram: 4096 - name: Initialize CodeQL (main/scheduled - security-and-quality) if: github.event_name != 'pull_request' @@ -89,8 +94,12 @@ jobs: build-mode: ${{ matrix.build-mode }} # Use our custom config file to exclude unnecessary files config-file: ./.github/codeql/codeql-config.yml - # Use security-and-quality for comprehensive analysis on main branch and scheduled runs - queries: security-and-quality + # Override queries to use security-and-quality for comprehensive analysis + config: | + queries: + - uses: security-and-quality + # Increase RAM allocation to allow more threads (reduces "Compiling in 3 threads due to RAM limits") + ram: 4096 - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v4 From 641b65c5219c2562620151dd84c28683dd94dd36 Mon Sep 17 00:00:00 2001 From: tristandubbeld Date: Fri, 21 Nov 2025 13:59:06 +0100 Subject: [PATCH 4/5] refactor(ci): remove unused codeql-config.yml in favor of separate PR and main config files --- .github/codeql/codeql-config-main.yml | 87 +++++++++++++++++++ ...codeql-config.yml => codeql-config-pr.yml} | 9 +- .github/workflows/codeql.yml | 17 +--- 3 files changed, 98 insertions(+), 15 deletions(-) create mode 100644 .github/codeql/codeql-config-main.yml rename .github/codeql/{codeql-config.yml => codeql-config-pr.yml} (91%) diff --git a/.github/codeql/codeql-config-main.yml b/.github/codeql/codeql-config-main.yml new file mode 100644 index 00000000000..0e958072072 --- /dev/null +++ b/.github/codeql/codeql-config-main.yml @@ -0,0 +1,87 @@ +name: "CodeQL Config - Main" + +# Configuration for main branch and scheduled runs: use security-and-quality for comprehensive analysis +disable-default-queries: true +queries: + - uses: security-and-quality + +# Exclude paths to reduce disk space usage and improve analysis performance +paths-ignore: + # Dependencies - don't analyze third-party code + - "**/node_modules" + - "**/yarn.lock" + - "**/package-lock.json" + + # Build artifacts - generated code doesn't need analysis + - "**/dist" + - "**/lib" + - "**/compiled" + - "**/build" + - "**/www" + - "**/release" + + # Test files - exclude test code to improve performance + # Test files rarely contain security vulnerabilities that matter for production + - "**/*.test.ts" + - "**/*.test.tsx" + - "**/*.spec.ts" + - "**/*.spec.tsx" + - "**/*.test.js" + - "**/*.test.jsx" + - "**/*.spec.js" + - "**/*.spec.jsx" + + # Storybook files + - "**/*.stories.tsx" + - "**/*.stories.ts" + - "**/*.stories.jsx" + - "**/*.stories.js" + + # Test fixtures and snapshots + - "**/__mocks__" + - "**/__image_snapshots__" + - "**/_fixtures" + - "**/fixture" + - "**/test/**/*.png" + - "**/test/**/*.jpg" + - "**/test/**/*.svg" + - "**/integration-tests/**/*.png" + + # Test utilities and configs + - "**/test-utils/**" + - "**/testing/**" + - "**/jest.config.*" + - "**/jest.setup.*" + - "**/coverage/**" + + # Generated type definition files + - "**/*.d.ts" + + # Example and playground files - not production code + - "**/example" + - "**/examples" + - "**/playground" + - "**/website" + - "**/docs" + + # Generated files + - "**/*.map" + - "**/*.min.js" + - "**/*.min.css" + + # Large standalone packages - exclude website and release directories + - "standalone-packages/monaco-editor/website" + - "standalone-packages/monaco-editor/release" + - "standalone-packages/vscode-editor/release" + - "standalone-packages/vscode-textmate/**/*.result" + - "standalone-packages/vscode-textmate/**/*.patch" + + # Static assets + - "**/static/fonts" + - "**/static/img" + - "**/public" + + # CI/CD files + - "**/Dockerfile*" + - "**/.circleci" + diff --git a/.github/codeql/codeql-config.yml b/.github/codeql/codeql-config-pr.yml similarity index 91% rename from .github/codeql/codeql-config.yml rename to .github/codeql/codeql-config-pr.yml index afededb1d39..f95485a007f 100644 --- a/.github/codeql/codeql-config.yml +++ b/.github/codeql/codeql-config-pr.yml @@ -1,7 +1,11 @@ -name: "CodeQL Config" +name: "CodeQL Config - PR" + +# Configuration for pull requests: use security-extended for faster analysis +disable-default-queries: true +queries: + - uses: security-extended # Exclude paths to reduce disk space usage and improve analysis performance -# This prevents analyzing unnecessary files that consume disk space and time paths-ignore: # Dependencies - don't analyze third-party code - "**/node_modules" @@ -80,3 +84,4 @@ paths-ignore: # CI/CD files - "**/Dockerfile*" - "**/.circleci" + diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 8d991ca1630..93ae8abbd57 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -76,13 +76,8 @@ jobs: with: languages: ${{ matrix.language }} build-mode: ${{ matrix.build-mode }} - # Use our custom config file to exclude unnecessary files - config-file: ./.github/codeql/codeql-config.yml - # Override queries to use security-extended for faster PR analysis - # Format per GitHub docs: https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning - config: | - queries: - - uses: security-extended + # Use config file for PRs: security-extended for faster analysis + config-file: ./.github/codeql/codeql-config-pr.yml # Increase RAM allocation to allow more threads (reduces "Compiling in 3 threads due to RAM limits") ram: 4096 @@ -92,12 +87,8 @@ jobs: with: languages: ${{ matrix.language }} build-mode: ${{ matrix.build-mode }} - # Use our custom config file to exclude unnecessary files - config-file: ./.github/codeql/codeql-config.yml - # Override queries to use security-and-quality for comprehensive analysis - config: | - queries: - - uses: security-and-quality + # Use config file for main/scheduled: security-and-quality for comprehensive analysis + config-file: ./.github/codeql/codeql-config-main.yml # Increase RAM allocation to allow more threads (reduces "Compiling in 3 threads due to RAM limits") ram: 4096 From aef12067314aca81c2cc98ac2f6e70d51a89845c Mon Sep 17 00:00:00 2001 From: tristandubbeld Date: Fri, 21 Nov 2025 14:37:52 +0100 Subject: [PATCH 5/5] revert(ci): restore original CodeQL setup with default queries and single config file --- .github/codeql/codeql-config-main.yml | 87 ------------------- ...codeql-config-pr.yml => codeql-config.yml} | 10 +-- .github/workflows/codeql.yml | 21 +---- 3 files changed, 5 insertions(+), 113 deletions(-) delete mode 100644 .github/codeql/codeql-config-main.yml rename .github/codeql/{codeql-config-pr.yml => codeql-config.yml} (84%) diff --git a/.github/codeql/codeql-config-main.yml b/.github/codeql/codeql-config-main.yml deleted file mode 100644 index 0e958072072..00000000000 --- a/.github/codeql/codeql-config-main.yml +++ /dev/null @@ -1,87 +0,0 @@ -name: "CodeQL Config - Main" - -# Configuration for main branch and scheduled runs: use security-and-quality for comprehensive analysis -disable-default-queries: true -queries: - - uses: security-and-quality - -# Exclude paths to reduce disk space usage and improve analysis performance -paths-ignore: - # Dependencies - don't analyze third-party code - - "**/node_modules" - - "**/yarn.lock" - - "**/package-lock.json" - - # Build artifacts - generated code doesn't need analysis - - "**/dist" - - "**/lib" - - "**/compiled" - - "**/build" - - "**/www" - - "**/release" - - # Test files - exclude test code to improve performance - # Test files rarely contain security vulnerabilities that matter for production - - "**/*.test.ts" - - "**/*.test.tsx" - - "**/*.spec.ts" - - "**/*.spec.tsx" - - "**/*.test.js" - - "**/*.test.jsx" - - "**/*.spec.js" - - "**/*.spec.jsx" - - # Storybook files - - "**/*.stories.tsx" - - "**/*.stories.ts" - - "**/*.stories.jsx" - - "**/*.stories.js" - - # Test fixtures and snapshots - - "**/__mocks__" - - "**/__image_snapshots__" - - "**/_fixtures" - - "**/fixture" - - "**/test/**/*.png" - - "**/test/**/*.jpg" - - "**/test/**/*.svg" - - "**/integration-tests/**/*.png" - - # Test utilities and configs - - "**/test-utils/**" - - "**/testing/**" - - "**/jest.config.*" - - "**/jest.setup.*" - - "**/coverage/**" - - # Generated type definition files - - "**/*.d.ts" - - # Example and playground files - not production code - - "**/example" - - "**/examples" - - "**/playground" - - "**/website" - - "**/docs" - - # Generated files - - "**/*.map" - - "**/*.min.js" - - "**/*.min.css" - - # Large standalone packages - exclude website and release directories - - "standalone-packages/monaco-editor/website" - - "standalone-packages/monaco-editor/release" - - "standalone-packages/vscode-editor/release" - - "standalone-packages/vscode-textmate/**/*.result" - - "standalone-packages/vscode-textmate/**/*.patch" - - # Static assets - - "**/static/fonts" - - "**/static/img" - - "**/public" - - # CI/CD files - - "**/Dockerfile*" - - "**/.circleci" - diff --git a/.github/codeql/codeql-config-pr.yml b/.github/codeql/codeql-config.yml similarity index 84% rename from .github/codeql/codeql-config-pr.yml rename to .github/codeql/codeql-config.yml index f95485a007f..c32823f426f 100644 --- a/.github/codeql/codeql-config-pr.yml +++ b/.github/codeql/codeql-config.yml @@ -1,9 +1,4 @@ -name: "CodeQL Config - PR" - -# Configuration for pull requests: use security-extended for faster analysis -disable-default-queries: true -queries: - - uses: security-extended +name: "CodeQL Config" # Exclude paths to reduce disk space usage and improve analysis performance paths-ignore: @@ -21,7 +16,6 @@ paths-ignore: - "**/release" # Test files - exclude test code to improve performance - # Test files rarely contain security vulnerabilities that matter for production - "**/*.test.ts" - "**/*.test.tsx" - "**/*.spec.ts" @@ -69,7 +63,7 @@ paths-ignore: - "**/*.min.js" - "**/*.min.css" - # Large standalone packages - exclude website and release directories + # Large standalone packages - "standalone-packages/monaco-editor/website" - "standalone-packages/monaco-editor/release" - "standalone-packages/vscode-editor/release" diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 93ae8abbd57..527063f12fd 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -69,28 +69,13 @@ jobs: uses: actions/checkout@v4 # Initializes the CodeQL tools for scanning. - # Use security-extended query pack for PRs (faster), security-and-quality for main/scheduled (comprehensive) - - name: Initialize CodeQL (PR - security-extended) - if: github.event_name == 'pull_request' + - name: Initialize CodeQL uses: github/codeql-action/init@v4 with: languages: ${{ matrix.language }} build-mode: ${{ matrix.build-mode }} - # Use config file for PRs: security-extended for faster analysis - config-file: ./.github/codeql/codeql-config-pr.yml - # Increase RAM allocation to allow more threads (reduces "Compiling in 3 threads due to RAM limits") - ram: 4096 - - - name: Initialize CodeQL (main/scheduled - security-and-quality) - if: github.event_name != 'pull_request' - uses: github/codeql-action/init@v4 - with: - languages: ${{ matrix.language }} - build-mode: ${{ matrix.build-mode }} - # Use config file for main/scheduled: security-and-quality for comprehensive analysis - config-file: ./.github/codeql/codeql-config-main.yml - # Increase RAM allocation to allow more threads (reduces "Compiling in 3 threads due to RAM limits") - ram: 4096 + # Use our custom config file to exclude unnecessary files + config-file: ./.github/codeql/codeql-config.yml - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v4