From cc80a40d86b441f80925166bf62c17b9f3ade517 Mon Sep 17 00:00:00 2001
From: Vincent Koc <vincentkoc@ieee.org>
Date: Mon, 27 Apr 2026 15:43:53 -0700
Subject: [PATCH] fix(ci): preserve mixed macOS CodeQL SARIF findings

Conservatively filter macOS CodeQL SARIF by dropping only findings where every location is SwiftPM build output. Verified with workflow sanity, local jq filtering, PR CI, and a failed-job rerun for an unrelated stalled Vitest shard.
---
 .github/workflows/codeql.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 2179539f795..029376bbe17 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -177,7 +177,8 @@ jobs:
           for file in "${files[@]}"; do
             jq '
               def in_dependency_build:
-                ((.locations[0].physicalLocation.artifactLocation.uri? // "") | test("^apps/macos/\\.build/"));
+                ((.locations // []) | length > 0)
+                and all(.locations[]; (.physicalLocation.artifactLocation.uri? // "") | test("^apps/macos/\\.build/"));
 
               .runs |= map(.results = ((.results // []) | map(select(in_dependency_build | not))))
             ' "$file" > "sarif-results-filtered/$(basename "$file")"