ci: improve codeql workflow config

sebthom · sebthom · commit 0e2bc3914f62 · 2025-10-22T21:13:31.000+02:00
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -82,14 +82,27 @@ jobs:
       uses: actions/checkout@v5  # https://github.com/actions/checkout
 
 
+    # CodeQL executes https://github.com/ferstl/depgraph-maven-plugin
+    - name: "Install: JDK 25 for Maven/Tycho ☕"
+      uses: actions/setup-java@v5  # https://github.com/actions/setup-java
+      if: ${{ matrix.language }} == 'java'
+      with:
+        distribution: temurin
+        java-version: 25
+
+
+    # https://docs.github.com/en/code-security/code-scanning
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v4
+      uses: github/codeql-action/init@v4  # https://github.com/github/codeql-action
       with:
         languages: ${{ matrix.language }}
+        # https://github.com/github/codeql-action#build-modes
         build-mode: ${{ matrix.build-mode }}
+        # https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#using-queries-in-ql-packs
+        queries: +security-and-quality
 
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v4
+      uses: github/codeql-action/analyze@v4  # https://github.com/github/codeql-action
       with:
         category: "/language:${{matrix.language}}"
