hyperpolymath · hyperpolymath · May 16, 2026 · May 16, 2026
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -8,28 +8,57 @@ on:
     branches: [main, master]
   schedule:
     - cron: '0 6 * * 1'
+# Estate guardrail: cancel superseded runs so re-pushes don't pile up
+# queued runs across the estate. Safe here because this workflow only
+# performs read-only checks/lint/test/scan with no publish or mutation.
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
 
 permissions:
   contents: read
 
 jobs:
+  # The estate is heterogeneous (Rust, Idris2, Agda, Elixir, ReScript,
+  # occasional JS/TS/Python). A hard-coded `javascript-typescript` matrix
+  # made CodeQL exit with a "no source / configuration error" on every
+  # non-JS/TS repo — a permanent false-red `analyze` on most repos' main.
+  # Detect the languages the repo ACTUALLY contains and only analyse the
+  # CodeQL-supported, buildless-safe ones; skip entirely when none apply.
+  detect:
+    runs-on: ubuntu-latest
+    outputs:
+      langs: ${{ steps.pick.outputs.langs }}
+    steps:
+      - name: Pick CodeQL languages from repo language stats
+        id: pick
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          stats=$(gh api "repos/${{ github.repository }}/languages" --jq 'keys[]' 2>/dev/null || echo "")
+          out=""
+          add() { out="$out $1"; }
+          echo "$stats" | grep -qix 'Rust'                 && add rust
+          echo "$stats" | grep -qixE 'JavaScript|TypeScript' && add javascript-typescript
+          echo "$stats" | grep -qix 'Python'               && add python
+          echo "$stats" | grep -qix 'Ruby'                 && add ruby
+          echo "$stats" | grep -qix 'Go'                   && add go
+          arr=$(printf '%s\n' $out | grep . | sort -u | jq -R . | jq -s -c .)
+          [ -z "$arr" ] && arr='[]'
+          echo "Detected CodeQL languages: $arr"
+          echo "langs=$arr" >> "$GITHUB_OUTPUT"
+
   analyze:
+    needs: detect
+    if: needs.detect.outputs.langs != '[]'
     runs-on: ubuntu-latest
     permissions:
       contents: read
       security-events: write
     strategy:
       fail-fast: false
       matrix:
-        include:
-          # verisimiser is a Rust crate with zero JS/TS source. The estate
-          # template's default `javascript-typescript` made CodeQL fail with
-          # a "no source / configuration error" on every run (pre-existing
-          # red on main, not introduced by #102). Analyse the language that
-          # actually exists. `build-mode: none` is the correct (buildless)
-          # extraction mode for Rust in CodeQL.
-          - language: rust
-            build-mode: none
+        language: ${{ fromJSON(needs.detect.outputs.langs) }}
 
     steps:
       - name: Checkout
@@ -39,7 +68,7 @@ jobs:
         uses: github/codeql-action/init@0d579ffd059c29b07949a3cce3983f0780820c98 # v3.28.1
         with:
           languages: ${{ matrix.language }}
-          build-mode: ${{ matrix.build-mode }}
+          build-mode: none
 
       - name: Perform CodeQL Analysis
         uses: github/codeql-action/analyze@0d579ffd059c29b07949a3cce3983f0780820c98 # v3.28.1