From e07ff96de8676d6116108881ef0a7974116c27cc Mon Sep 17 00:00:00 2001
From: Daniel Chao <dan.chao@apple.com>
Date: Thu, 23 Apr 2026 11:28:16 -0700
Subject: [PATCH] Switch CodeQL to use PklCI API (#1555)

---
 .github/PklProject           |  2 +-
 .github/PklProject.deps.json | 16 ++++-----
 .github/codeql.pkl           | 67 ------------------------------------
 .github/index.pkl            | 15 +++++---
 .github/workflows/codeql.yml | 15 ++++----
 5 files changed, 27 insertions(+), 88 deletions(-)
 delete mode 100644 .github/codeql.pkl

diff --git a/.github/PklProject b/.github/PklProject
index 07a11b8b..e8b270c2 100644
--- a/.github/PklProject
+++ b/.github/PklProject
@@ -2,7 +2,7 @@ amends "pkl:Project"
 
 dependencies {
   ["pkl.impl.ghactions"] {
-    uri = "package://pkg.pkl-lang.org/pkl-project-commons/pkl.impl.ghactions@1.6.0"
+    uri = "package://pkg.pkl-lang.org/pkl-project-commons/pkl.impl.ghactions@1.7.0"
   }
   ["gha"] {
     uri = "package://pkg.pkl-lang.org/pkl-pantry/com.github.actions@1.4.0"
diff --git a/.github/PklProject.deps.json b/.github/PklProject.deps.json
index 0a621f20..4aef34ac 100644
--- a/.github/PklProject.deps.json
+++ b/.github/PklProject.deps.json
@@ -3,16 +3,16 @@
   "resolvedDependencies": {
     "package://pkg.pkl-lang.org/pkl-pantry/com.github.actions@1": {
       "type": "remote",
-      "uri": "projectpackage://pkg.pkl-lang.org/pkl-pantry/com.github.actions@1.4.0",
+      "uri": "projectpackage://pkg.pkl-lang.org/pkl-pantry/com.github.actions@1.6.0",
       "checksums": {
-        "sha256": "e0b9a9f71071d6101e9d764c069b2ec4a597d5315cb6e4c265b3f0d90c2b482c"
+        "sha256": "10e27d63df4a4520d8a9375962406ca5ffe74f396bd3cb1c19b1f8358505010a"
       }
     },
     "package://pkg.pkl-lang.org/pkl-project-commons/pkl.impl.ghactions@1": {
       "type": "remote",
-      "uri": "projectpackage://pkg.pkl-lang.org/pkl-project-commons/pkl.impl.ghactions@1.6.0",
+      "uri": "projectpackage://pkg.pkl-lang.org/pkl-project-commons/pkl.impl.ghactions@1.7.0",
       "checksums": {
-        "sha256": "fbc3c456ea468a0fe6baa9b3d30167259ac04e721a41a10fe82d2970026f0b1d"
+        "sha256": "962cdba703b50e86ecfda1a1345bf58caa7b4839dd090eae6120024d862793d0"
       }
     },
     "package://pkg.pkl-lang.org/pkl-pantry/pkl.experimental.deepToTyped@1": {
@@ -24,16 +24,16 @@
     },
     "package://pkg.pkl-lang.org/pkl-pantry/pkl.github.dependabotManagedActions@1": {
       "type": "remote",
-      "uri": "projectpackage://pkg.pkl-lang.org/pkl-pantry/pkl.github.dependabotManagedActions@1.1.0",
+      "uri": "projectpackage://pkg.pkl-lang.org/pkl-pantry/pkl.github.dependabotManagedActions@1.1.3",
       "checksums": {
-        "sha256": "025fac778f2c5f75c8229fa4ec0f49ebdb99a61affe9aae489fefd8fccd92faa"
+        "sha256": "521feb6f5ff12075ebad0758799fe7ec2675d231a0e0f5456694c8d4822a8171"
       }
     },
     "package://pkg.pkl-lang.org/pkl-pantry/com.github.dependabot@1": {
       "type": "remote",
-      "uri": "projectpackage://pkg.pkl-lang.org/pkl-pantry/com.github.dependabot@1.0.1",
+      "uri": "projectpackage://pkg.pkl-lang.org/pkl-pantry/com.github.dependabot@1.0.3",
       "checksums": {
-        "sha256": "0a4fe9b0983716ec49fb060b9e5e83f8c365eb899d517123b43134416a9574b6"
+        "sha256": "a8934d84ffd11992d7baf6acfd97bae31d6112fa8add5cc8b5b4a722ce5b9ffc"
       }
     }
   }
diff --git a/.github/codeql.pkl b/.github/codeql.pkl
deleted file mode 100644
index 527f8d0a..00000000
--- a/.github/codeql.pkl
+++ /dev/null
@@ -1,67 +0,0 @@
-amends "@gha/Workflow.pkl"
-
-import "@gha/catalog.pkl"
-
-on {
-  push {
-    branches {
-      "main"
-    }
-  }
-  pull_request {}
-  schedule {
-    // Run at 01:38 on Saturday
-    new { cron = "38 1 * * 6" }
-  }
-}
-
-local class CodeQLScan {
-  language: String
-
-  `build-mode`: String
-}
-
-local scans: Listing<CodeQLScan> = new {
-  new {
-    language = "actions"
-    `build-mode` = "none"
-  }
-  new {
-    language = "java-kotlin"
-    `build-mode` = "autobuild"
-  }
-  new {
-    language = "javascript-typescript"
-    `build-mode` = "none"
-  }
-}
-
-jobs {
-  for (scan in scans) {
-    ["analyze-\(scan.language)"] {
-      name = "Analyze (\(scan.language))"
-      `runs-on` = "ubuntu-latest"
-      permissions {
-        `security-events` = "write"
-      }
-      steps {
-        catalog.`actions/checkout@v6`
-        new {
-          name = "Initialize CodeQL"
-          uses = "github/codeql-action/init@v4"
-          with {
-            ["languages"] = scan.language
-            ["build-mode"] = scan.`build-mode`
-          }
-        }
-        new {
-          name = "Perform CodeQL Analysis"
-          uses = "github/codeql-action/analyze@v4"
-          with {
-            ["category"] = "/language:\(scan.language)"
-          }
-        }
-      }
-    }
-  }
-}
diff --git a/.github/index.pkl b/.github/index.pkl
index 0810d4a3..ef4a5209 100644
--- a/.github/index.pkl
+++ b/.github/index.pkl
@@ -9,7 +9,6 @@ import "jobs/GithubRelease.pkl"
 import "jobs/GradleJob.pkl"
 import "jobs/PklJob.pkl"
 import "jobs/SimpleGradleJob.pkl"
-import "codeql.pkl"
 
 triggerDocsBuild = "both"
 
@@ -241,7 +240,15 @@ dependabot {
   }
 }
 
-workflows {
-  // add codeql workflow to set of workflows
-  ["workflows/codeql.yml"] = codeql
+codeql {
+  scans {
+    new {
+      language = "java-kotlin"
+      buildMode = "autobuild"
+    }
+    new {
+      language = "javascript-typescript"
+      buildMode = "none"
+    }
+  }
 }
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 2c7acb05..35836c5f 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -1,11 +1,13 @@
 # Generated from Workflow.pkl. DO NOT EDIT.
 'on':
-  pull_request: {}
+  pull_request:
+    branches:
+    - main
   push:
     branches:
     - main
   schedule:
-  - cron: 38 1 * * 6
+  - cron: 29 17 * * 4
 jobs:
   analyze-actions:
     name: Analyze (actions)
@@ -16,8 +18,7 @@ jobs:
     - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
       with:
         persist-credentials: false
-    - name: Initialize CodeQL
-      uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
+    - uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
       with:
         languages: actions
         build-mode: none
@@ -34,8 +35,7 @@ jobs:
     - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
       with:
         persist-credentials: false
-    - name: Initialize CodeQL
-      uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
+    - uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
       with:
         languages: java-kotlin
         build-mode: autobuild
@@ -52,8 +52,7 @@ jobs:
     - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
       with:
         persist-credentials: false
-    - name: Initialize CodeQL
-      uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
+    - uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
       with:
         languages: javascript-typescript
         build-mode: none