From 793fe1783cf508d7a155d4745960a89abf4ce014 Mon Sep 17 00:00:00 2001
From: Henry Mercer <henrymercer@github.com>
Date: Mon, 15 Sep 2025 14:10:32 +0100
Subject: [PATCH 1/6] CI: Configure Python analysis

---
 .github/codeql/codeql-actions-config.yml      |  4 ----
 ...onfig.yml => codeql-config-javascript.yml} |  0
 .github/workflows/codeql.yml                  | 20 +++++++++++++------
 3 files changed, 14 insertions(+), 10 deletions(-)
 delete mode 100644 .github/codeql/codeql-actions-config.yml
 rename .github/codeql/{codeql-config.yml => codeql-config-javascript.yml} (100%)

diff --git a/.github/codeql/codeql-actions-config.yml b/.github/codeql/codeql-actions-config.yml
deleted file mode 100644
index 7f3b3f3a84..0000000000
--- a/.github/codeql/codeql-actions-config.yml
+++ /dev/null
@@ -1,4 +0,0 @@
-# Configuration for the CodeQL Actions Queries
-name: "CodeQL Actions Queries config"
-queries:
-  - uses: security-and-quality
diff --git a/.github/codeql/codeql-config.yml b/.github/codeql/codeql-config-javascript.yml
similarity index 100%
rename from .github/codeql/codeql-config.yml
rename to .github/codeql/codeql-config-javascript.yml
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 1bb3f14b75..7e9d79f537 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -95,7 +95,7 @@ jobs:
       id: init
       with:
         languages: javascript
-        config-file: ./.github/codeql/codeql-config.yml
+        config-file: ./.github/codeql/codeql-config-javascript.yml
         tools: ${{ matrix.tools }}
     # confirm steps.init.outputs.codeql-path points to the codeql binary
     - name: Print CodeQL Version
@@ -108,11 +108,16 @@ jobs:
       with:
         category: "/language:javascript"
 
-
-  analyze-actions:
+  analyze-other:
     runs-on: ubuntu-latest
 
     strategy:
+      matrix:
+        include:
+          - language: actions
+            build-mode: none
+          - language: python
+            build-mode: none
       fail-fast: false
 
     permissions:
@@ -125,9 +130,12 @@ jobs:
     - name: Initialize CodeQL
       uses: ./init
       with:
-        languages: actions
-        config-file: ./.github/codeql/codeql-actions-config.yml
+        languages: ${{ matrix.language }}
+        build-mode: ${{ matrix.build-mode }}
+        config: >
+          queries:
+            - uses: security-and-quality
     - name: Perform CodeQL Analysis
       uses: ./analyze
       with:
-        category: "/language:actions"
+        category: "/language:${{ matrix.language }}"

From 73ead84d0a30b65725d5f87bcceb247b885b8db9 Mon Sep 17 00:00:00 2001
From: Henry Mercer <henrymercer@github.com>
Date: Mon, 15 Sep 2025 14:12:47 +0100
Subject: [PATCH 2/6] Reorder strategy properties

---
 .github/workflows/codeql.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 7e9d79f537..c5b981a148 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -112,13 +112,13 @@ jobs:
     runs-on: ubuntu-latest
 
     strategy:
+      fail-fast: false
       matrix:
         include:
           - language: actions
             build-mode: none
           - language: python
             build-mode: none
-      fail-fast: false
 
     permissions:
       contents: read

From 61b8b636e3fca7a4bd53ce056f546dfa3f967b5d Mon Sep 17 00:00:00 2001
From: Henry Mercer <henrymercer@github.com>
Date: Mon, 15 Sep 2025 14:15:05 +0100
Subject: [PATCH 3/6] Only upload a single matrix case for JS

---
 .github/workflows/codeql.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index c5b981a148..b24de0a27c 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -107,6 +107,7 @@ jobs:
       uses: ./analyze
       with:
         category: "/language:javascript"
+        upload: ${{ matrix.os == 'ubuntu-24.04' && matrix.tools == '' && 'always' || 'never' }}
 
   analyze-other:
     runs-on: ubuntu-latest

From 8105843d425356f4bf019863275cffc4f1976a1b Mon Sep 17 00:00:00 2001
From: Henry Mercer <henrymercer@github.com>
Date: Mon, 15 Sep 2025 14:20:15 +0100
Subject: [PATCH 4/6] Specify `paths-ignore` for other languages

---
 .github/codeql/codeql-config-javascript.yml | 4 ++--
 .github/workflows/codeql.yml                | 3 +++
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/.github/codeql/codeql-config-javascript.yml b/.github/codeql/codeql-config-javascript.yml
index 124be804aa..d946c415fd 100644
--- a/.github/codeql/codeql-config-javascript.yml
+++ b/.github/codeql/codeql-config-javascript.yml
@@ -7,9 +7,9 @@ queries:
   # we include both even though one is a superset of the
   # other, because we're testing the parsing logic and
   # that the suites exist in the codeql bundle.
+  - uses: security-and-quality
   - uses: security-experimental
   - uses: security-extended
-  - uses: security-and-quality
 paths-ignore:
-  - tests
   - lib
+  - tests
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index b24de0a27c..d254df6073 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -134,6 +134,9 @@ jobs:
         languages: ${{ matrix.language }}
         build-mode: ${{ matrix.build-mode }}
         config: >
+          paths-ignore:
+            - lib
+            - tests
           queries:
             - uses: security-and-quality
     - name: Perform CodeQL Analysis

From bce0fa7b273f185f5908dbefca72edeec59f768a Mon Sep 17 00:00:00 2001
From: Henry Mercer <henrymercer@github.com>
Date: Mon, 15 Sep 2025 14:45:40 +0100
Subject: [PATCH 5/6] Remove build mode from matrix

---
 .github/workflows/codeql.yml | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index d254df6073..e966320e9d 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -117,9 +117,7 @@ jobs:
       matrix:
         include:
           - language: actions
-            build-mode: none
           - language: python
-            build-mode: none
 
     permissions:
       contents: read
@@ -132,7 +130,7 @@ jobs:
       uses: ./init
       with:
         languages: ${{ matrix.language }}
-        build-mode: ${{ matrix.build-mode }}
+        build-mode: none
         config: >
           paths-ignore:
             - lib

From 1069ace04eae3b4885eca965ab5eacb008c260e9 Mon Sep 17 00:00:00 2001
From: Henry Mercer <henrymercer@github.com>
Date: Mon, 15 Sep 2025 16:09:21 +0100
Subject: [PATCH 6/6] Update .github/workflows/codeql.yml

---
 .github/workflows/codeql.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index e966320e9d..cc157b15f2 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -107,7 +107,7 @@ jobs:
       uses: ./analyze
       with:
         category: "/language:javascript"
-        upload: ${{ matrix.os == 'ubuntu-24.04' && matrix.tools == '' && 'always' || 'never' }}
+        upload: ${{ (matrix.os == 'ubuntu-24.04' && !matrix.tools && 'always') || 'never' }}
 
   analyze-other:
     runs-on: ubuntu-latest