Exclude auto-generated lock files from CodeQL actions analysis

mrjf · Copilot · mrjf · commit 0161ecdf32d3 · 2026-05-21T07:48:17.000-07:00
The crane.lock.yml is generated by 'gh aw compile' and contains
patterns (issue_comment trigger + checkout) that CodeQL flags as
'checkout of untrusted code in trusted context'. The lock file
includes branch validation but CodeQL cannot see through the
generated structure. Exclude *.lock.yml from scanning.

Co-authored-by: Copilot &lt;223556219+Copilot@users.noreply.github.com&gt;
diff --git a/.github/codeql/codeql-config.yml b/.github/codeql/codeql-config.yml
@@ -0,0 +1,5 @@
+name: "CodeQL configuration"
+
+paths-ignore:
+  # Auto-generated lock files from gh-aw compile
+  - ".github/workflows/*.lock.yml"
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -30,6 +30,7 @@ jobs:
         uses: github/codeql-action/init@v4
         with:
           languages: ${{ matrix.language }}
+          config-file: ./.github/codeql/codeql-config.yml
 
       - name: Perform CodeQL Analysis
         uses: github/codeql-action/analyze@v4
