Enhance capabilities compatibility check workflow

.github/workflows/capabilities-compatibility.yml

@@ -2,24 +2,42 @@ name: Capabilities compatibility check
 
 on:
   pull_request:
-    paths:
-      - 'capabilities.json'
 
 jobs:
   check-capabilities:
     runs-on: ubuntu-latest
     steps:
-      - name: Checkout base and PR
+      - name: Checkout repository
         uses: actions/checkout@v4
         with:
-          fetch-depth: 0
-          # needed to get the base branch
+          fetch-depth: 0 # Fetches all history to allow diffing against the base branch
+
+      - name: Check for capabilities.json changes
+        id: check_changes
+        run: |
+          # Compare the PR branch with the base branch to find changed files
+          CHANGED_FILES=$(git diff --name-only origin/${{ github.event.pull_request.base.ref }}...HEAD)
+          echo "Files changed in this PR:"
+          echo "$CHANGED_FILES"
+
+          if echo "$CHANGED_FILES" | grep -q "capabilities.json"; then
+            echo "capabilities.json was modified."
+            echo "any_changed=true" >> $GITHUB_OUTPUT
+          else
+            echo "capabilities.json was not modified. Skipping compatibility check."
+            echo "any_changed=false" >> $GITHUB_OUTPUT
+          fi
+        shell: bash
+
       - name: Determine base ref
+        if: steps.check_changes.outputs.any_changed == 'true'
         id: vars
         run: |
           echo "BASE_REF=${{ github.event.pull_request.base.ref }}" >> $GITHUB_OUTPUT
           echo "PR_REF=${{ github.head_ref }}" >> $GITHUB_OUTPUT
+
       - name: Checkout base branch file
+        if: steps.check_changes.outputs.any_changed == 'true'
         run: |
           git fetch origin ${{ github.event.pull_request.base.ref }} --depth=1
           if git show origin/${{ github.event.pull_request.base.ref }}:capabilities.json > capabilities.base.json 2>/dev/null; then
@@ -28,7 +46,9 @@ jobs:
             echo "No capabilities.json in base branch - treating as new file"
             echo '{}' > capabilities.base.json
           fi
+
       - name: Run compatibility script
+        if: steps.check_changes.outputs.any_changed == 'true'
         run: |
           node ./.github/scripts/check-capabilities-compatibility.js --baseFile=capabilities.base.json --prFile=capabilities.json || exit 1
         shell: bash

.github/workflows/codeql.yml

@@ -17,6 +17,7 @@ jobs:
       actions: read
       contents: read
       security-events: write
+      pull-requests: read
 
     strategy:
       fail-fast: false
@@ -30,7 +31,7 @@ jobs:
         fetch-depth: 2
 
     - name: Use Node.js 18
-      uses: actions/setup-node@v2
+      uses: actions/setup-node@v4
       with:
         node-version: 18.x
 
@@ -41,9 +42,19 @@ jobs:
       uses: github/codeql-action/init@v3
       with:
         languages: ${{ matrix.language }}
+        config: |
+          paths:
+            - src
+            - test
+          paths-ignore:
+            - node_modules
+            - dist
+            - .tmp
 
     - name: Autobuild
       uses: github/codeql-action/autobuild@v3
 
     - name: Perform CodeQL Analysis
       uses: github/codeql-action/analyze@v3
+      with:
+        upload: true