Add actions to codeql analysis workflow

[oscarsj]

Add actions to the list of languages codeql should analyse.
This proposal includes the matrixed approach for allowing paralelization of analysis, suggested on https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#changing-the-languages-that-are-analyzed tried the parallel approach from docs, but it didn't work, so resorting to regular, sequential runs

PR Overview

This pull request adds minimal changes to the CodeQL workflow in order to enable analysis of GitHub Actions along with C#.

• Adds a matrix strategy to run CodeQL on both 'actions' and 'csharp'.
• Removes the hard-coded languages parameter from the Initialize CodeQL step.

Changes

File	Description
.github/workflows/codeql-analysis.yml	Updates the workflow to include a matrix for actions and csharp.

Copilot reviewed 1 out of 1 changed files in this pull request and generated no comments.

Comments suppressed due to low confidence (1)

.github/workflows/codeql-analysis.yml:45

• Removing the static 'languages' parameter from the Initialize CodeQL step means the matrix value is not automatically passed. Consider replacing it with 'languages: ${{ matrix.language }}' to ensure the workflow analyzes the correct language for each job.

-        languages: csharp

Tip: If you use Visual Studio Code, you can request a review from Copilot before you push from the "Source Control" tab. Learn more

[adityasharad]

This doesn't seem to have worked (in fact it is attempting all languages). I suspect the docs or our automatic parsing of workflow matrices are wrong. Can you try an explicit languages: ${{ matrix.language }} here?

We may also need to specify a category so that the old and new csharp alerts match up.

[navntoft]

Do I understand this correctly in that matrix.<dimension> would get passed to an action implicitly if it has an input of the same name? In that case the problem is likely language vs languages. I would prefer to pass it explicitly (languages: ${{ matrix.language }}) for clarity , though.

[github-advanced-security]

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.