Build frontend for CodeQL; remove release analyze job

In the CodeQL workflow, add Node.js setup and a frontend build step for the Go matrix so vite emits web/dist before CodeQL's Go autobuild (the Go binary uses //go:embed all:dist and web/dist is .gitignored). In the release workflow, remove the separate Go analyze job (gofmt, go vet, staticcheck, tests) and drop its dependency from build jobs to simplify the release pipeline.
2026-05-13 09:36:05 +00:00 · 2026-05-09 17:56:16 +02:00 · 2026-05-09 17:56:16 +02:00 · 439f4cf1e8
commit 439f4cf1e8
parent bc00d37ad8
2 changed files with 20 additions and 41 deletions
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@ -35,6 +35,24 @@ jobs:
      - name: Checkout repository
        uses: actions/checkout@v6

+      # The Go binary embeds web/dist/ via //go:embed all:dist (web/web.go).
+      # web/dist/ is .gitignored, so CodeQL's autobuild for Go will fail with
+      # "pattern all:dist: no matching files found" unless vite emits it first.
+      - name: Setup Node.js
+        if: matrix.language == 'go'
+        uses: actions/setup-node@v6
+        with:
+          node-version: '22'
+          cache: 'npm'
+          cache-dependency-path: frontend/package-lock.json
+
+      - name: Build frontend bundle
+        if: matrix.language == 'go'
+        run: |
+          npm ci
+          npm run build
+        working-directory: frontend
+
      - name: Initialize CodeQL
        uses: github/codeql-action/init@v4
        with:
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -21,45 +21,7 @@ on:
  pull_request:

 jobs:
-  analyze:
-    name: Analyze Go code
-    permissions:
-      contents: read
-    runs-on: ubuntu-latest
-    timeout-minutes: 20
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v6
-
-      - name: Set up Go
-        uses: actions/setup-go@v6
-        with:
-          go-version-file: go.mod
-          cache: true
-
-      - name: Check formatting
-        run: |
-          unformatted=$(gofmt -l .)
-          if [ -n "$unformatted" ]; then
-            echo "These files are not gofmt-formatted:"
-            echo "$unformatted"
-            exit 1
-          fi
-
-      - name: Run go vet
-        run: go vet ./...
-
-      - name: Run staticcheck
-        uses: dominikh/staticcheck-action@v1
-        with:
-          version: "latest"
-          install-go: false
-
-      - name: Run tests
-        run: go test -race -shuffle=on ./...
-
  build:
-    needs: analyze
    permissions:
      contents: write
    strategy:
@ -88,7 +50,7 @@ jobs:
      # at compile time. web/dist/ is .gitignored, so on a fresh CI
      # checkout it doesn't exist until vite emits it.
      - name: Setup Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v6
        with:
          node-version: '22'
          cache: 'npm'
@ -208,7 +170,6 @@ jobs:
  # =================================
  build-windows:
    name: Build for Windows
-    needs: analyze
    permissions:
      contents: write
    strategy:
@ -230,7 +191,7 @@ jobs:
      # Linux job above. This step is identical except npm runs on the
      # Windows runner here.
      - name: Setup Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v6
        with:
          node-version: '22'
          cache: 'npm'