From 6927a22c30b39f35077a729cb926fe75ef0a5de8 Mon Sep 17 00:00:00 2001 From: Jeffrey 'Alex' Clark Date: Thu, 18 Jun 2026 11:41:20 -0400 Subject: [PATCH 1/5] PYTHON-5877 Use codeql composite action from drivers-github-tools Delegate to the shared action so the pinned CodeQL version lives in one place and Dependabot can update it centrally. --- .github/workflows/codeql.yml | 27 ++++----------------------- 1 file changed, 4 insertions(+), 23 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index a6321adbef..2feff25c0f 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -23,7 +23,6 @@ jobs: runs-on: "ubuntu-latest" timeout-minutes: 360 permissions: - # required for all workflows security-events: write strategy: @@ -36,33 +35,15 @@ jobs: build-mode: none - language: actions build-mode: none - steps: - - name: Checkout repository - uses: actions/checkout@v6.0.3 - with: - ref: ${{ inputs.ref }} - persist-credentials: false - - uses: actions/setup-python@v6 - # Initializes the CodeQL tools for scanning. - - name: Initialize CodeQL - uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4 + steps: + - uses: mongodb-labs/drivers-github-tools/codeql@6916a008ec612b4575d8f630c6745e776207e30a # PYTHON-5877 with: - languages: ${{ matrix.language }} + language: ${{ matrix.language }} build-mode: ${{ matrix.build-mode }} - # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs - queries: security-extended + ref: ${{ inputs.ref }} config: | paths-ignore: - 'doc/**' - 'tools/**' - 'test/**' - - - if: matrix.build-mode == 'manual' - run: | - pip install -e . - - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4 - with: - category: "/language:${{matrix.language}}" From 50b6ab245bd688c86468b5dff321efd44e930d73 Mon Sep 17 00:00:00 2001 From: Jeffrey 'Alex' Clark Date: Wed, 8 Jul 2026 14:55:18 -0400 Subject: [PATCH 2/5] PYTHON-5877 Fix duplicate steps key in codeql workflow --- .github/workflows/codeql.yml | 8 -------- 1 file changed, 8 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 30340c509d..af6a76ecfc 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -35,14 +35,6 @@ jobs: build-mode: none - language: actions build-mode: none - steps: - - name: Checkout repository - uses: actions/checkout@v7.0.0 - with: - ref: ${{ inputs.ref }} - persist-credentials: false - - uses: actions/setup-python@v6 - steps: - uses: mongodb-labs/drivers-github-tools/codeql@6916a008ec612b4575d8f630c6745e776207e30a # PYTHON-5877 with: From f7640b31d54533cd6882dfd5378b635e4af5ca81 Mon Sep 17 00:00:00 2001 From: Jeffrey 'Alex' Clark Date: Wed, 8 Jul 2026 14:57:50 -0400 Subject: [PATCH 3/5] PYTHON-5877 Re-pin codeql action to merged commit --- .github/workflows/codeql.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index af6a76ecfc..3c61f64feb 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -36,7 +36,7 @@ jobs: - language: actions build-mode: none steps: - - uses: mongodb-labs/drivers-github-tools/codeql@6916a008ec612b4575d8f630c6745e776207e30a # PYTHON-5877 + - uses: mongodb-labs/drivers-github-tools/codeql@95f9ce909bf0e44707fffdb92c18ed86e74aa2fd # PYTHON-5877 with: language: ${{ matrix.language }} build-mode: ${{ matrix.build-mode }} From 1d09f8fea285a69e245c300bd14df957c8679adb Mon Sep 17 00:00:00 2001 From: Jeffrey 'Alex' Clark Date: Wed, 8 Jul 2026 15:08:51 -0400 Subject: [PATCH 4/5] PYTHON-5877 Use resolvable version comment for codeql action pin --- .github/workflows/codeql.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 3c61f64feb..4d050a0928 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -36,7 +36,7 @@ jobs: - language: actions build-mode: none steps: - - uses: mongodb-labs/drivers-github-tools/codeql@95f9ce909bf0e44707fffdb92c18ed86e74aa2fd # PYTHON-5877 + - uses: mongodb-labs/drivers-github-tools/codeql@95f9ce909bf0e44707fffdb92c18ed86e74aa2fd # v3 with: language: ${{ matrix.language }} build-mode: ${{ matrix.build-mode }} From 87008c2bd51f0f9e1715565efc6c484e725aa136 Mon Sep 17 00:00:00 2001 From: Jeffrey 'Alex' Clark Date: Wed, 8 Jul 2026 15:13:50 -0400 Subject: [PATCH 5/5] PYTHON-5877 Pass manual-build-command for c-cpp CodeQL build --- .github/workflows/codeql.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 4d050a0928..4d667ec893 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -31,6 +31,7 @@ jobs: include: - language: c-cpp build-mode: manual + manual-build-command: pip install -e . - language: python build-mode: none - language: actions @@ -40,6 +41,7 @@ jobs: with: language: ${{ matrix.language }} build-mode: ${{ matrix.build-mode }} + manual-build-command: ${{ matrix.manual-build-command }} ref: ${{ inputs.ref }} config: | paths-ignore: