Wikid82 · Wikid82 · Feb 18, 2026 · Feb 17, 2026 · Feb 18, 2026 · Feb 18, 2026
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -1,12 +1,16 @@
 name: CodeQL - Analyze
 
 on:
+  pull_request:
+    branches: [main, nightly]
+  push:
+    branches: [main, nightly, development]
   workflow_dispatch:
   schedule:
     - cron: '0 3 * * 1' # Mondays 03:00 UTC
 
 concurrency:
-  group: ${{ github.workflow }}-${{ github.event_name }}-${{ github.event.workflow_run.head_branch || github.head_ref || github.ref_name }}
+  group: ${{ github.workflow }}-${{ github.event_name }}-${{ github.head_ref || github.ref_name }}
   cancel-in-progress: true
 
 env:
@@ -23,9 +27,6 @@ jobs:
   analyze:
     name: CodeQL analysis (${{ matrix.language }})
     runs-on: ubuntu-latest
-    # Skip forked PRs where CHARON_TOKEN lacks security-events permissions
-    if: >-
-      (github.event_name != 'workflow_run' || github.event.workflow_run.status != 'completed' || github.event.workflow_run.conclusion == 'success')
     permissions:
       contents: read
       security-events: write
@@ -39,10 +40,10 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
-          ref: ${{ github.event.workflow_run.head_sha || github.sha }}
+          ref: ${{ github.sha }}
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@9e907b5e64f6b83e7804b09294d44122997950d6 # v4
+        uses: github/codeql-action/init@015d8c7cbcbb8e7252a7dccfe81a90aa176260b2 # v4
         with:
           languages: ${{ matrix.language }}
           # Use CodeQL config to exclude documented false positives
@@ -58,10 +59,10 @@ jobs:
           cache-dependency-path: backend/go.sum
 
       - name: Autobuild
-        uses: github/codeql-action/autobuild@9e907b5e64f6b83e7804b09294d44122997950d6 # v4
+        uses: github/codeql-action/autobuild@015d8c7cbcbb8e7252a7dccfe81a90aa176260b2 # v4
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@9e907b5e64f6b83e7804b09294d44122997950d6 # v4
+        uses: github/codeql-action/analyze@015d8c7cbcbb8e7252a7dccfe81a90aa176260b2 # v4
         with:
           category: "/language:${{ matrix.language }}"
 

diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml
@@ -558,7 +558,7 @@ jobs:
 
       - name: Upload Trivy results
         if: env.TRIGGER_EVENT != 'pull_request' && steps.skip.outputs.skip_build != 'true' && steps.trivy-check.outputs.exists == 'true'
-        uses: github/codeql-action/upload-sarif@9e907b5e64f6b83e7804b09294d44122997950d6 # v4.32.3
+        uses: github/codeql-action/upload-sarif@015d8c7cbcbb8e7252a7dccfe81a90aa176260b2 # v4.32.3
         with:
           sarif_file: 'trivy-results.sarif'
           token: ${{ secrets.GITHUB_TOKEN }}
@@ -704,7 +704,7 @@ jobs:
 
       - name: Upload Trivy scan results
         if: always()
-        uses: github/codeql-action/upload-sarif@9e907b5e64f6b83e7804b09294d44122997950d6 # v4.32.3
+        uses: github/codeql-action/upload-sarif@015d8c7cbcbb8e7252a7dccfe81a90aa176260b2 # v4.32.3
         with:
           sarif_file: 'trivy-pr-results.sarif'
           category: 'docker-pr-image'

diff --git a/.github/workflows/nightly-build.yml b/.github/workflows/nightly-build.yml
@@ -71,6 +71,66 @@ jobs:
             echo "has_changes=true" >> "$GITHUB_OUTPUT"
           fi
 
+  trigger-nightly-validation:
+    name: Trigger Nightly Validation Workflows
+    needs: sync-development-to-nightly
+    if: needs.sync-development-to-nightly.outputs.has_changes == 'true'
+    runs-on: ubuntu-latest
+    permissions:
+      actions: write
+      contents: read
+    steps:
+      - name: Dispatch Missing Nightly Validation Workflows
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
+        with:
+          script: |
+            const owner = context.repo.owner;
+            const repo = context.repo.repo;
+
+            const { data: nightlyBranch } = await github.rest.repos.getBranch({
+              owner,
+              repo,
+              branch: 'nightly',
+            });
+            const nightlyHeadSha = nightlyBranch.commit.sha;
+            core.info(`Current nightly HEAD: ${nightlyHeadSha}`);
+
+            const workflows = [
+              { id: 'e2e-tests-split.yml' },
+              { id: 'codecov-upload.yml', inputs: { run_backend: 'true', run_frontend: 'true' } },
+              { id: 'security-pr.yml' },
+              { id: 'supply-chain-pr.yml' },
+              { id: 'codeql.yml' },
+            ];
+
+            for (const workflow of workflows) {
+              const { data: workflowRuns } = await github.rest.actions.listWorkflowRuns({
+                owner,
+                repo,
+                workflow_id: workflow.id,
+                branch: 'nightly',
+                per_page: 50,
+              });
+
+              const hasRunForHead = workflowRuns.workflow_runs.some(
+                (run) => run.head_sha === nightlyHeadSha,
+              );
+
+              if (hasRunForHead) {
+                core.info(`Skipping dispatch for ${workflow.id}; run already exists for nightly HEAD`);
+                continue;
+              }
+
+              await github.rest.actions.createWorkflowDispatch({
+                owner,
+                repo,
+                workflow_id: workflow.id,
+                ref: 'nightly',
+                ...(workflow.inputs ? { inputs: workflow.inputs } : {}),
+              });
+              core.info(`Dispatched ${workflow.id} on nightly (missing run for HEAD)`);
+            }
+
   build-and-push-nightly:
     needs: sync-development-to-nightly
     runs-on: ubuntu-latest
@@ -285,7 +345,7 @@ jobs:
           output: 'trivy-nightly.sarif'
 
       - name: Upload Trivy results
-        uses: github/codeql-action/upload-sarif@9e907b5e64f6b83e7804b09294d44122997950d6  # v4.32.3
+        uses: github/codeql-action/upload-sarif@015d8c7cbcbb8e7252a7dccfe81a90aa176260b2  # v4.32.3
         with:
           sarif_file: 'trivy-nightly.sarif'
           category: 'trivy-nightly'

diff --git a/.github/workflows/security-pr.yml b/.github/workflows/security-pr.yml
@@ -280,7 +280,7 @@ jobs:
       - name: Upload Trivy SARIF to GitHub Security
         if: steps.check-artifact.outputs.artifact_exists == 'true' || github.event_name == 'push' || github.event_name == 'pull_request'
         # github/codeql-action v4
-        uses: github/codeql-action/upload-sarif@b1b1e44da9bac3c3c733dd0dbecc16d3c7889499
+        uses: github/codeql-action/upload-sarif@015d8c7cbcbb8e7252a7dccfe81a90aa176260b2
         with:
           sarif_file: 'trivy-binary-results.sarif'
           category: ${{ steps.pr-info.outputs.is_push == 'true' && format('security-scan-{0}', github.event.workflow_run.head_branch) || format('security-scan-pr-{0}', steps.pr-info.outputs.pr_number) }}

diff --git a/.github/workflows/security-weekly-rebuild.yml b/.github/workflows/security-weekly-rebuild.yml
@@ -106,7 +106,7 @@ jobs:
           severity: 'CRITICAL,HIGH,MEDIUM'
 
       - name: Upload Trivy results to GitHub Security
-        uses: github/codeql-action/upload-sarif@9e907b5e64f6b83e7804b09294d44122997950d6 # v4.32.3
+        uses: github/codeql-action/upload-sarif@015d8c7cbcbb8e7252a7dccfe81a90aa176260b2 # v4.32.3
         with:
           sarif_file: 'trivy-weekly-results.sarif'
 

diff --git a/.github/workflows/supply-chain-pr.yml b/.github/workflows/supply-chain-pr.yml
@@ -339,7 +339,7 @@ jobs:
 
       - name: Upload SARIF to GitHub Security
         if: steps.check-artifact.outputs.artifact_found == 'true'
-        uses: github/codeql-action/upload-sarif@9e907b5e64f6b83e7804b09294d44122997950d6 # v4
+        uses: github/codeql-action/upload-sarif@015d8c7cbcbb8e7252a7dccfe81a90aa176260b2 # v4
         continue-on-error: true
         with:
           sarif_file: grype-results.sarif