ci: update build command for codeql

MetaMask · witmicko · Nov 26, 2025 · Dec 2, 2025 · Dec 9, 2025 · Dec 9, 2025
commit e283983287f216b9b4fbb182ef50f9e525b790c1
@@ -3,14 +3,14 @@
 **This PR may be auto-merged in the future if not configured.**
 
 If your team does not need the security scanner:
-- **Add a comment on this PR** explaining why your team is opting out
-- **Close this PR** to prevent auto-merge
-- **Add a `.github/no-security-scanner` file** to your repository to prevent future onboarding attempts
+1. **Add a comment on this PR** explaining why your team is opting out
+2. **Close this PR** to prevent auto-merge
+3. **Add a `.github/no-security-scanner` file** to your repository to prevent future onboarding attempts
 
 If you need the scanner but want to customize it:
-- Complete the checklist below
-- Review and modify the workflow file as needed
-- Approve and merge this PR when ready
+1. Complete the checklist below
+2. Review and modify the workflow file as needed
+3. Approve and merge this PR when ready
 
 If no action is taken, this PR may be automatically merged after a grace period to ensure baseline security coverage across all repositories.
 
@@ -19,7 +19,7 @@ If no action is taken, this PR may be automatically merged after a grace period
 ## Required Action
 
 Prior to merging this pull request, please ensure the following has been completed:
-- [ ] The lines specifying `branches` correctly specifies this repository's default branch (usually `main` or `master`).
+- [ ] The lines specifying `branches` correctly specify this repository's default branch (usually `main` or `master`).
 - [ ] Any paths you would like to ignore have been added to the `paths-ignored` configuration option (see [setup](https://github.com/MetaMask/action-security-code-scanner/blob/main/README.md#setup))
 - [ ] Language configuration has been reviewed - ignore falsely detected languages or add build commands for Java/Kotlin if needed (see Configuration section below)
 - [ ] Any existing CodeQL configuration has been disabled.
@@ -49,6 +49,7 @@ The scanner auto-detects languages in your repository. If you need to customize
 **Common use cases:**
 
 1. **Ignore falsely detected languages:**
+
    ```yaml
    languages-config: |
      [
@@ -60,6 +61,7 @@ The scanner auto-detects languages in your repository. If you need to customize
    ```
 
 2. **Configure Java/Kotlin builds:**
+
    ```yaml
    languages-config: |
      [

@@ -4,14 +4,9 @@ on:
   workflow_dispatch:
     inputs:
       repository:
-        description: 'Repository to onboard (format: owner/repo)'
+        description: 'Repository to onboard (format: owner/repo, e.g., MetaMask/snaps)'
         required: true
         type: string
-      base_branch:
-        description: 'Base branch to create PR against'
-        required: false
-        default: 'main'
-        type: string
   repository_dispatch:
     types: [new_repository_created]
 
@@ -31,13 +26,24 @@ jobs:
         id: target
         run: |
           if [ "${{ github.event_name }}" = "repository_dispatch" ]; then
-            echo "repository=${{ github.event.client_payload.repository }}" >> $GITHUB_OUTPUT
-            echo "base_branch=${{ github.event.client_payload.base_branch || 'main' }}" >> $GITHUB_OUTPUT
+            REPO="${{ github.event.client_payload.repository }}"
+            BASE_BRANCH="${{ github.event.client_payload.base_branch }}"
           else
-            echo "repository=${{ inputs.repository }}" >> $GITHUB_OUTPUT
-            echo "base_branch=${{ inputs.base_branch }}" >> $GITHUB_OUTPUT
+            REPO="${{ inputs.repository }}"
+            BASE_BRANCH=""
+          fi
+
+          # If base_branch is not set, detect it from the repository
+          if [ -z "$BASE_BRANCH" ]; then
+            echo "Detecting default branch for $REPO..."
+            BASE_BRANCH=$(gh api repos/$REPO --jq '.default_branch')
           fi
+
+          echo "repository=$REPO" >> $GITHUB_OUTPUT
+          echo "base_branch=$BASE_BRANCH" >> $GITHUB_OUTPUT
         shell: bash
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Checkout target repository
         uses: actions/checkout@v4
@@ -65,16 +71,16 @@ jobs:
           git add .github/workflows/security-code-scanner.yml
           git commit -m "chore: add MetaMask Security Code Scanner workflow
 
-This PR adds the MetaMask Security Code Scanner workflow to enable
-automated security scanning of the codebase.
+          This PR adds the MetaMask Security Code Scanner workflow to enable
+          automated security scanning of the codebase.
 
-The scanner will run on:
-- Push to main branch
-- Pull requests to main branch
-- Manual workflow dispatch
+          The scanner will run on:
+          - Push to main branch
+          - Pull requests to main branch
+          - Manual workflow dispatch
 
-To configure the scanner for your repository's specific needs,
-please review the workflow file and adjust as necessary."
+          To configure the scanner for your repository's specific needs,
+          please review the workflow file and adjust as necessary."
 
           git push origin "$BRANCH_NAME"
         shell: bash