Setup CodeQL with manual build

[pawcoding]

No description provided.

[Copilot]

Pull request overview

This PR sets up a CodeQL Advanced workflow for automated security scanning with support for manual builds of the Android application. The workflow analyzes Actions, Java/Kotlin, and JavaScript/TypeScript code, running on pushes to master, pull requests, and on a weekly schedule.

• Configures CodeQL with three language analyzers: Actions, Java/Kotlin (manual build), and JavaScript/TypeScript
• Sets up keystore and build environment for scanning compiled Java/Kotlin code
• Uses the existing build-apk.sh script for the manual build process

[Copilot]

Missing required Java and Android SDK setup steps for the manual build. Other workflows in the project (test.yaml and android-release.yaml) show that both JDK 21 (Temurin distribution) and Android SDK setup are necessary before building Android projects. These setup steps should be added before line 70 (Initialize CodeQL) for the java-kotlin language matrix entry.

Example from test.yaml:

- name: 📦 Setup JDK
  uses: actions/setup-java@v5
  with:
    distribution: "temurin"
    java-version: "21"
    cache: "gradle"

- name: 📦 Setup Android SDK
  uses: android-actions/setup-android@v3

Suggested change

	- name: 📦 Setup JDK
	if: matrix.language == 'java-kotlin'
	uses: actions/setup-java@v5
	with:
	distribution: "temurin"
	java-version: "21"
	cache: "gradle"
	- name: 📦 Setup Android SDK
	if: matrix.language == 'java-kotlin'
	uses: android-actions/setup-android@v3

[Copilot]

The keystore setup step will fail if the KEYSTORE_BASE64 secret is not set or is empty. The echo command should be quoted to properly handle the secret value, and the workflow should check if the secret exists before attempting to decode it. Consider adding a check or ensuring the secret is always available.

Suggested fix:

run: |
  echo "$KEYSTORE_BASE64" | base64 --decode > keystore.jks

Suggested change

	echo $KEYSTORE_BASE64 | base64 --decode > keystore.jks
	if [ -z "$KEYSTORE_BASE64" ]; then
	echo "ERROR: KEYSTORE_BASE64 secret is not set or is empty." >&2
	exit 1
	fi
	echo "$KEYSTORE_BASE64" | base64 --decode > keystore.jks

[Copilot]

The checkout action version is inconsistent with other workflows in the project. The test.yaml and android-release.yaml workflows both use actions/checkout@v5, while this workflow uses actions/checkout@v4. For consistency and to use the latest version, this should be updated to @v5.

Suggested change

	uses: actions/checkout@v4
	uses: actions/checkout@v5

[Copilot]

The conditional logic matrix.build-mode == 'manual' && matrix.language == 'java-kotlin' is redundant. Based on the matrix configuration (lines 45-51), only java-kotlin has build-mode: manual, so checking both conditions is unnecessary. The condition can be simplified to just matrix.build-mode == 'manual'.

Suggested change

	if: matrix.build-mode == 'manual' && matrix.language == 'java-kotlin'
	if: matrix.build-mode == 'manual'

[Copilot]

[nitpick] The gradlew script needs to be made executable before running the build. While scripts/build-apk.sh includes chmod +x ./gradlew, it's better practice to ensure the permissions are set before calling any Gradle commands. Consider adding this step before running the build script or ensuring it's committed with executable permissions.

[github-advanced-security]

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.