fix(repo): move codeql to yml based config s.t. it runs properly on forks

[AgentEnder]

Current Behavior

We are using the default codeql setup, which refuses to run on PRs from forks

Expected Behavior

We use the yml based codeql setup, which should run correctly

Important

This is only the first half of this effort. After this is merged, PRs will need to be rebased and the repo will need a settings update from @FrozenPandaz

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Updated (UTC)
nx-dev	Ready	Preview	Sep 11, 2025 4:07pm

[nx-cloud]

View your CI Pipeline Execution ↗ for commit 4a028f4

Command	Status	Duration	Result
nx run-many -t check-imports check-commit check...	✅ Succeeded	1m 47s	View ↗
nx affected --targets=lint,test,build,e2e,e2e-c...	✅ Succeeded	<1s	View ↗
nx-cloud record -- nx-cloud conformance:check	✅ Succeeded	3s	View ↗
nx-cloud record -- nx format:check	✅ Succeeded	<1s	View ↗
nx-cloud record -- nx sync:check	✅ Succeeded	<1s	View ↗
nx documentation	✅ Succeeded	36s	View ↗

---

☁️ Nx Cloud last updated this comment at 2025-09-11 16:03:38 UTC

[graphite-app]

Logic inconsistency bug: java-kotlin analysis is enabled in PR workflow but commented out in master workflow. The master workflow comments out java-kotlin (lines 47-49) with a note that 'its currently failing', but the PR workflow enables it with 'autobuild' mode. This will cause the PR workflow to fail when it tries to analyze java-kotlin code, since the same build issues that caused it to be disabled in master still exist. Either enable java-kotlin in both workflows or disable it in both for consistency.

Suggested change

	- language: java-kotlin
	build-mode: autobuild
	# - language: java-kotlin
	# build-mode: autobuild

Spotted by Diamond



Is this helpful? React 👍 or 👎 to let us know.

[graphite-app]

The exit 1 command in this conditional block will cause the workflow to fail whenever a language with build-mode: 'manual' is added to the matrix. Since this appears to be template code that might be used in the future, consider either:

1. Removing the exit 1 command to prevent future failures, or
2. Adding a comment explaining that this code needs to be updated before adding any manual build modes to the matrix

This way, the configuration will be ready for future language additions without requiring immediate changes to the build commands.

Suggested change

	- if: matrix.build-mode == 'manual'
	shell: bash
	run: |
	echo 'If you are using a "manual" build mode for one or more of the' \
	'languages you are analyzing, replace this with the commands to build' \
	'your code, for example:'
	echo ' make bootstrap'
	echo ' make release'
	exit 1
	- if: matrix.build-mode == 'manual'
	shell: bash
	run: |
	echo 'If you are using a "manual" build mode for one or more of the' \
	'languages you are analyzing, replace this with the commands to build' \
	'your code, for example:'
	echo ' make bootstrap'
	echo ' make release'
	echo 'IMPORTANT: Update this section with your actual build commands before adding any' \
	'languages with build-mode: manual to the matrix, otherwise the workflow will fail.'

Spotted by Diamond



Is this helpful? React 👍 or 👎 to let us know.

[graphite-app]

The exit 1 command in this conditional block will cause the workflow to fail whenever a language with build-mode: 'manual' is processed. Currently this is not an issue since no languages in the matrix are configured with manual build mode, but this creates a potential problem if the matrix is updated in the future.

Consider either:

1. Removing the exit 1 command to prevent future failures, or
2. Adding a comment explaining that this is intentional to force developers to implement proper build commands when manual mode is selected

This appears to be boilerplate code from the GitHub CodeQL template, but it should be adjusted to avoid unexpected failures when the configuration changes.

Suggested change

	- if: matrix.build-mode == 'manual'
	shell: bash
	run: |
	echo 'If you are using a "manual" build mode for one or more of the' \
	'languages you are analyzing, replace this with the commands to build' \
	'your code, for example:'
	echo ' make bootstrap'
	echo ' make release'
	exit 1
	- if: matrix.build-mode == 'manual'
	shell: bash
	run: |
	# NOTE: If you are using manual build mode, replace the echo statements below
	# with the actual commands needed to build your code
	echo 'If you are using a "manual" build mode for one or more of the' \
	'languages you are analyzing, replace this with the commands to build' \
	'your code, for example:'
	echo ' make bootstrap'
	echo ' make release'

Spotted by Diamond



Is this helpful? React 👍 or 👎 to let us know.

[github-actions]

This pull request has already been merged/closed. If you experience issues related to these changes, please open a new issue referencing this pull request.