CodeQL: run Python analysis only when Python files changed

[Copilot]

The CodeQL workflow runs Python analysis on every PR, causing failures for changes that don't contain Python code (e.g., Cyrano TypeScript changes). This adds conditional execution to skip Python analysis when no .py files are modified.

Changes

• New detect job: Identifies Python files in changeset via git diff

  • Handles pull_request (base → head SHA), push (before → after SHA), and schedule (all files) events
  • Outputs python_changed boolean via $GITHUB_OUTPUT

• Modified analyze job: Added dependency and conditional

  • needs: detect - waits for detection
  • if: matrix.language != 'python' || needs.detect.outputs.python_changed == 'true' - runs Python analysis only when relevant
  • Matrix unchanged - Python remains available when needed

Behavior

# Non-Python PR (e.g., Cyrano changes)
→ python_changed=false → Python analysis skipped

# Python PR (e.g., scripts/ changes)  
→ python_changed=true → Python analysis runs

# Mixed PR
→ python_changed=true → All analyses run

Actions and JavaScript/TypeScript analyses remain unconditional.

Original prompt

Modify the CodeQL workflow to only run Python analysis when the change set actually contains Python files. The repository's current CodeQL workflow (.github/workflows/codeql.yml) runs a matrix that includes python, which causes the 'CodeQL Advanced / Analyze (python)' check to run and fail for PRs that don't touch Python files. We will implement a safe conditional so Python analysis runs only when Python files are present in the push or PR.

Changes to make:

• Update .github/workflows/codeql.yml
  • Add a new job detect that checks out the code and determines whether the current event (pull_request or push) includes any changed files with a .py extension. The job should set an output python_changed to true or false using the recommended $GITHUB_OUTPUT approach.
  • Make the existing analyze job depend on detect (add needs: detect) and add a job-level if condition so the python matrix job runs only when matrix.language != 'python' OR needs.detect.outputs.python_changed == 'true'.
  • Keep the existing matrix entries (including python) so the workflow still supports python analysis when needed.
  • Preserve other configuration in the file (permissions, pooling, config-file usage, autobuild, upload, etc.) so behavior for other languages is unchanged.

Implementation details for the detect job:

• runs-on: ubuntu-latest
• steps:
  • uses: actions/checkout@v4 with fetch-depth: 0 (to enable diff between refs)
  • run: a shell script that determines changed files for pull_request vs push and sets the boolean output python_changed via: echo "python_changed=true" >> $GITHUB_OUTPUT or echo "python_changed=false" >> $GITHUB_OUTPUT.
  • The detection should handle pull_request events by comparing the PR head to the base branch, and push events by using github.event.before and github.sha.

Safety notes included in PR description:

• This change only skips the python analysis when no Python files were touched; it does not remove python from the matrix, so python analysis still runs when Python files exist in a change.
• If there are other workflow files that initialize CodeQL separately, they may still run python analysis; this PR only updates the main .github/workflows/codeql.yml.

Files to modify:

• .github/workflows/codeql.yml

Please create a branch, commit the change, and open a PR against main with title: "CodeQL: run python analysis only when Python files changed". In the PR description, explain what changed and why and mention that this prevents unnecessary failing python analysis runs for Cyrano (no python in that code path) while preserving Python scans when relevant.

This pull request was created from Copilot chat.

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codacy-production]

Codacy's Analysis Summary

0 new issue (≤ 0 issue)
0 new security issue

Review Pull Request in Codacy →

✨ AI Reviewer available: add the codacy-review label to get contextual insights without leaving GitHub.