perf(ci): optimize CodeQL analysis performance with query filtering and path exclusions

tristandubbeld · tristandubbeld · commit 8a447674c418 · 2025-11-21T10:38:34.000+01:00
diff --git a/.github/codeql/codeql-config.yml b/.github/codeql/codeql-config.yml
@@ -1,7 +1,7 @@
 name: "CodeQL Config"
 
-# Exclude paths to reduce disk space usage during CodeQL analysis
-# This prevents analyzing unnecessary files that consume disk space
+# Exclude paths to reduce disk space usage and improve analysis performance
+# This prevents analyzing unnecessary files that consume disk space and time
 paths-ignore:
   # Dependencies - don't analyze third-party code
   - "**/node_modules"
@@ -16,6 +16,23 @@ paths-ignore:
   - "**/www"
   - "**/release"
   
+  # Test files - exclude test code to improve performance
+  # Test files rarely contain security vulnerabilities that matter for production
+  - "**/*.test.ts"
+  - "**/*.test.tsx"
+  - "**/*.spec.ts"
+  - "**/*.spec.tsx"
+  - "**/*.test.js"
+  - "**/*.test.jsx"
+  - "**/*.spec.js"
+  - "**/*.spec.jsx"
+  
+  # Storybook files
+  - "**/*.stories.tsx"
+  - "**/*.stories.ts"
+  - "**/*.stories.jsx"
+  - "**/*.stories.js"
+  
   # Test fixtures and snapshots
   - "**/__mocks__"
   - "**/__image_snapshots__"
@@ -26,6 +43,16 @@ paths-ignore:
   - "**/test/**/*.svg"
   - "**/integration-tests/**/*.png"
   
+  # Test utilities and configs
+  - "**/test-utils/**"
+  - "**/testing/**"
+  - "**/jest.config.*"
+  - "**/jest.setup.*"
+  - "**/coverage/**"
+  
+  # Generated type definition files
+  - "**/*.d.ts"
+  
   # Example and playground files - not production code
   - "**/example"
   - "**/examples"
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -12,6 +12,7 @@ jobs:
   analyze:
     name: Analyze (${{ matrix.language }})
     runs-on: ubuntu-latest
+    timeout-minutes: 60
     permissions:
       # required for all workflows
       security-events: write
@@ -68,13 +69,28 @@ jobs:
       uses: actions/checkout@v4
 
     # Initializes the CodeQL tools for scanning.
-    - name: Initialize CodeQL
+    # Use security-extended query pack for PRs (faster), security-and-quality for main/scheduled (comprehensive)
+    - name: Initialize CodeQL (PR - security-extended)
+      if: github.event_name == 'pull_request'
       uses: github/codeql-action/init@v4
       with:
         languages: ${{ matrix.language }}
         build-mode: ${{ matrix.build-mode }}
         # Use our custom config file to exclude unnecessary files
         config-file: ./.github/codeql/codeql-config.yml
+        # Use security-extended for faster PR analysis
+        queries: +security-extended
+
+    - name: Initialize CodeQL (main/scheduled - security-and-quality)
+      if: github.event_name != 'pull_request'
+      uses: github/codeql-action/init@v4
+      with:
+        languages: ${{ matrix.language }}
+        build-mode: ${{ matrix.build-mode }}
+        # Use our custom config file to exclude unnecessary files
+        config-file: ./.github/codeql/codeql-config.yml
+        # Use security-and-quality for comprehensive analysis on main branch and scheduled runs
+        queries: +security-and-quality
 
     - name: Perform CodeQL Analysis
       uses: github/codeql-action/analyze@v4
