Context
CodeQL CLI 2.24.3 doesn't support Kotlin 2.3.20 (released 2026-03-16). The java-kotlin language was disabled in the CodeQL workflow matrix to unblock CI.
Upstream tracking: github/codeql#21484
What to do
Once github/codeql#21484 is resolved and a CodeQL CLI release supports Kotlin 2.3.20:
- Uncomment
java-kotlin in .github/workflows/codeql.yml (two lines in the matrix builder, ~lines 61 and 68)
- Verify the
CodeQL (java-kotlin) check passes
Duplicate CodeQL checks (known, low priority)
The repo runs both the org-enforced default CodeQL setup and our custom workflow, producing duplicate check runs for every language:
Analyze (*) — default setup (org-enforced "GitHub recommended" config)CodeQL (*) — our custom workflow (SARIF filtering, manual build modes, config file)
Neither is a required status check, so the Analyze (java-kotlin) failure from the default setup doesn't block merges. The org config can't be overridden per-repo without also losing secret scanning, push protection, and GHAS. Not worth changing org policy for this — just cosmetic noise.
Context
CodeQL CLI 2.24.3 doesn't support Kotlin 2.3.20 (released 2026-03-16). The java-kotlin language was disabled in the CodeQL workflow matrix to unblock CI.
Upstream tracking: github/codeql#21484
What to do
Once
github/codeql#21484is resolved and a CodeQL CLI release supports Kotlin 2.3.20:java-kotlinin.github/workflows/codeql.yml(two lines in the matrix builder, ~lines 61 and 68)CodeQL (java-kotlin)check passesDuplicate CodeQL checks (known, low priority)
The repo runs both the org-enforced default CodeQL setup and our custom workflow, producing duplicate check runs for every language:
Analyze (*)— default setup (org-enforced "GitHub recommended" config)CodeQL (*)— our custom workflow (SARIF filtering, manual build modes, config file)Neither is a required status check, so the
Analyze (java-kotlin)failure from the default setup doesn't block merges. The org config can't be overridden per-repo without also losing secret scanning, push protection, and GHAS. Not worth changing org policy for this — just cosmetic noise.