Skip to content

CI: codeql.yml and vscode-ci.yml fail at startup on every push to main #415

Description

@vicperdana

Summary

Two GitHub Actions workflows fail at startup (0s) on every push to main with
"This run likely failed because of a workflow file issue." These are
workflow-file/config errors — the workflow is rejected before any job runs, so
main shows a persistent red status even though the actual builds are healthy.

Workflow Status on main
ci.yml (CI) ✅ pass
docs.yaml (Docs) ✅ pass
codeql.yml (Analyze) ❌ fail @ 0s — workflow file issue
vscode-ci.yml (VS Code Extension CI) ❌ fail @ 0s — workflow file issue

Root causes confirmed with actionlint.

Root cause 1 — .github/workflows/codeql.yml (line ~99)

The paths input to github/codeql-action/init is a YAML sequence, but the
action input must be a scalar string (newline/comma-separated). The list makes
the with: block invalid, so the workflow fails to start.

.github/workflows/codeql.yml:100:13: expected scalar node for string value but found sequence node with "!!seq" tag [syntax-check]
# Before
with:
  languages: javascript-typescript
  paths:
    - packages/vscode-extension/src

# After
with:
  languages: javascript-typescript
  paths: packages/vscode-extension/src

Impact: CodeQL (C#/TypeScript), DevSkim, and PSRule SARIF uploads to the
Security tab are not running on main.

Root cause 2 — .github/workflows/vscode-ci.yml (line 164)

The Publish to VS Marketplace (Pre-release) step uses the secrets context in
an if: conditional
, which is not allowed. The expression is rejected and the
workflow fails to start.

.github/workflows/vscode-ci.yml:164:17: context "secrets" is not allowed here. available contexts are "env", "github", "inputs", "job", "matrix", "needs", "runner", "steps", "strategy", "vars". [expression]

The step already maps the secret to env.VSCE_PAT, so the fix is to test the
env context (which is allowed in if:):

# Before
if: ${{ secrets.VSCE_PAT != '' }}

# After
if: ${{ env.VSCE_PAT != '' }}

Actions

  • Fix codeql.yml — make paths a scalar string.
  • Fix vscode-ci.yml — change if: secrets.VSCE_PATif: env.VSCE_PAT.
  • Validate locally with actionlint (no [syntax-check] / [expression] errors remain).
  • Confirm green runs for both workflows on the next push to main.

Follow-ups (out of scope here)

Non-fatal shellcheck warnings flagged by actionlint (do not block runs, worth a
later cleanup):

  • ci.yml — SC2086, SC2129
  • vscode-ci.yml — SC2012, SC2035, SC2086
  • release-vscode.yml — SC2012, SC2035, SC2086
  • release-psdocs.yml, release-psdocs-azure.yml — SC2086

Findings generated from actionlint on the workflow files; verified against the
0s startup failures shown in recent Actions runs on main.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't workingci-qualityIssues that affect CI/ CD processes

    Type

    No type
    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions