From 46dd97c0e658632ca5e3152446db960d7bb2414c Mon Sep 17 00:00:00 2001
From: Chadin Anuwattanaporn <chadin_anuwattanaporn@tech.gov.sg>
Date: Fri, 30 Jan 2026 16:46:36 +0800
Subject: [PATCH 1/2] ci: bump codeql action version

---
 .github/workflows/ci.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 41b4bb14..572ee86b 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -98,12 +98,12 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v3
+        uses: github/codeql-action/init@v4
         with:
           languages: javascript-typescript
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v3
+        uses: github/codeql-action/analyze@v4
 
   test:
     name: Test

From e743be1d93fd267068cb2cb247d7ba82e8b70ea2 Mon Sep 17 00:00:00 2001
From: Chadin Anuwattanaporn <chadin_anuwattanaporn@tech.gov.sg>
Date: Fri, 30 Jan 2026 17:09:57 +0800
Subject: [PATCH 2/2] ci: move sast to a separate workflow

- so it can run on both MR and main
---
 .github/workflows/ci.yaml  | 17 -----------------
 .github/workflows/sast.yml | 29 +++++++++++++++++++++++++++++
 2 files changed, 29 insertions(+), 17 deletions(-)
 create mode 100644 .github/workflows/sast.yml

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 572ee86b..bd83e2fa 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -88,23 +88,6 @@ jobs:
       - name: Check
         run: pnpm check
 
-  sast:
-    name: SAST
-    runs-on: ubuntu-latest
-    permissions:
-      security-events: write
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-
-      - name: Initialize CodeQL
-        uses: github/codeql-action/init@v4
-        with:
-          languages: javascript-typescript
-
-      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v4
-
   test:
     name: Test
     runs-on: ubuntu-latest
diff --git a/.github/workflows/sast.yml b/.github/workflows/sast.yml
new file mode 100644
index 00000000..c62a000c
--- /dev/null
+++ b/.github/workflows/sast.yml
@@ -0,0 +1,29 @@
+name: SAST
+
+on:
+  pull_request:
+    branches: ['*']
+  push:
+    branches:
+      - main
+
+permissions:
+  contents: read
+  security-events: write
+  id-token: write
+
+jobs:
+  codeql:
+    name: CodeQL
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v4
+        with:
+          languages: javascript-typescript
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v4
\ No newline at end of file