fix: configure CodeQL with buildless extraction for java-kotlin

[safaiyeh]

Summary

Fixes CodeQL autobuild failure for java-kotlin analysis.

Problem

The CodeQL autobuild was failing because:

1. Gradle 9.2.1 requires JVM 17+ to run
2. Autobuild incorrectly selected JVM 8 based on the sourceCompatibility setting in android/build.gradle
3. The Android library cannot be built standalone - it requires the parent React Native project context

Solution

• Added a custom CodeQL workflow at .github/workflows/codeql.yml
• Use build-mode: none (buildless extraction) which analyzes source code directly without requiring a Gradle build
• Set up Java 17 to ensure Gradle compatibility if needed
• Added javascript-typescript analysis for the TypeScript source code

Note

After merging, you may want to disable GitHub's default code scanning setup in Settings → Code security and analysis to avoid duplicate scans.

[greptile-apps]

Greptile Summary

This PR adds a custom CodeQL workflow configuration that fixes the autobuild failure by using buildless extraction (build-mode: none) for both java-kotlin and javascript-typescript analysis. The solution correctly addresses the root cause: the Android library cannot be built standalone without the parent React Native project context, and autobuild was incorrectly selecting JVM 8 based on sourceCompatibility in android/build.gradle while Gradle 9.2.1 requires JVM 17+.

Key changes:

• Configured buildless extraction which analyzes source code directly without requiring a Gradle build
• Set up Java 17 (Temurin) for java-kotlin analysis to ensure Gradle compatibility if needed
• Added javascript-typescript analysis for the TypeScript source files in the repository
• Configured workflow to run on pushes to master, pull requests, and weekly schedule
• Set proper permissions for security-events, packages, actions, and contents

The workflow uses matrix strategy with fail-fast: false to ensure both language analyses run independently. The configuration is clean, follows GitHub Actions best practices, and appropriately solves the build failure issue.

Confidence Score: 5/5

• This PR is safe to merge with no risk
• The workflow configuration is correct, well-structured, and directly addresses the identified problem. Buildless extraction is the appropriate solution for this use case where the Android library requires parent project context. Java 17 setup ensures compatibility, and the inclusion of javascript-typescript analysis is appropriate given the TypeScript source files in the repository. The workflow follows GitHub Actions best practices with proper permissions, matrix strategy, and fail-fast configuration.
• No files require special attention

Important Files Changed

Filename	Overview
.github/workflows/codeql.yml	Added CodeQL workflow with buildless extraction for java-kotlin and javascript-typescript analysis

Sequence Diagram

sequenceDiagram
    participant GH as GitHub Actions
    participant Runner as Ubuntu Runner
    participant Java as Java 17 Setup
    participant CodeQL as CodeQL Action
    participant Repo as Repository Code

    Note over GH,Repo: Triggered on push, PR, or weekly schedule

    par Java-Kotlin Analysis
        GH->>Runner: Start analyze job (java-kotlin)
        Runner->>Repo: Checkout repository
        Runner->>Java: Set up Java 17 (Temurin)
        Java-->>Runner: Java 17 ready
        Runner->>CodeQL: Initialize CodeQL (java-kotlin, build-mode: none)
        CodeQL->>Repo: Scan source files without build
        CodeQL-->>Runner: Analysis complete
        Runner->>CodeQL: Perform CodeQL Analysis
        CodeQL->>GH: Upload security events (category: /language:java-kotlin)
    and JavaScript-TypeScript Analysis
        GH->>Runner: Start analyze job (javascript-typescript)
        Runner->>Repo: Checkout repository
        Note over Runner,Java: Skip Java setup (not needed)
        Runner->>CodeQL: Initialize CodeQL (javascript-typescript, build-mode: none)
        CodeQL->>Repo: Scan TypeScript/JavaScript files
        CodeQL-->>Runner: Analysis complete
        Runner->>CodeQL: Perform CodeQL Analysis
        CodeQL->>GH: Upload security events (category: /language:javascript-typescript)
    end

    GH->>GH: Store security scanning results

Loading

[greptile-apps]

Greptile found no issues!

From now on, if a review finishes and we haven't found any issues, we will not post anything, but you can confirm that we reviewed your changes in the status check section.

_{This feature can be toggled off in your Code Review Settings by deselecting "Create a status check for each PR".}

[github-advanced-security]

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.