Conversation
Move CodeQL analysis from an embedded job in security.yml to a standalone codeql.yml workflow using GitHub's recommended Advanced setup pattern. - Add language matrix: Go (manual build) + Actions (no build) - Add concurrency group to cancel superseded PR runs - Add 30-minute timeout to prevent runaway jobs - Upload SARIF with if: always() to capture partial results - Drop legacy CODEQL_EXTRACTOR_GO_BUILD_TRACING env var
Sensitive Change Detection (shadow mode)This PR modifies control-plane files:
|
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 15896ff86d
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
There was a problem hiding this comment.
Pull request overview
This PR moves CodeQL scanning out of the bundled .github/workflows/security.yml workflow into a standalone .github/workflows/codeql.yml workflow following GitHub’s “Advanced” CodeQL setup, and expands scanning to include GitHub Actions workflows.
Changes:
- Removed the embedded
codeqljob fromsecurity.yml. - Added a dedicated
codeql.ymlworkflow with a matrix forgoandactions. - Added concurrency control, a 30-minute timeout, and
if: always()on SARIF upload.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| .github/workflows/security.yml | Removes the inline CodeQL job so the security workflow focuses on the remaining security checks. |
| .github/workflows/codeql.yml | Introduces a standalone CodeQL workflow using an advanced matrix (Go + Actions) and explicit SARIF upload behavior. |
Tip
If you aren't ready for review, convert to a draft PR.
Click "Convert to draft" or run gh pr ready --undo.
Click "Ready for review" or run gh pr ready to reengage.
Comments suppressed due to low confidence (1)
.github/workflows/security.yml:109
- Removing the
codeqljob from this reusablesecurity.ymlworkflow means callers viaworkflow_call(e.g., the release workflow’ssecurityjob) will no longer run CodeQL at all on tag releases. If CodeQL is still intended to be part of the release security gate, consider either adding aworkflow_calltrigger tocodeql.ymland invoking it fromrelease.yml, or reintroducing a CodeQL job that runs only forworkflow_call/tag contexts.
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4.9.0
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Summary
security.ymlto a standalonecodeql.ymlworkflow using GitHub's recommended Advanced setup patternactionslanguage to the matrix — scans workflow files for injection vulnerabilities alongside Go analysisif: always()on SARIF uploadNo changes to the CodeQL config file (
security-and-qualityqueries, diagnostic/metric exclusions) or torelease.yml—security.ymlretains its other 4 jobs (secrets, trivy, gosec, dependency-review) and theworkflow_calltrigger.Test plan
security.ymljobs still pass without the removedcodeqljobSummary by cubic
Switches CodeQL scanning to GitHub’s Advanced setup in a dedicated
codeql.ymlworkflow. Adds Actions workflow scanning and tighter controls for reliable uploads.New Features
go(manual build) andactions(no build).if: always()SARIF upload.Refactors
security.ymlto standalonecodeql.yml(Advanced setup).security.ymljobs unchanged.Written for commit 15896ff. Summary will update on new commits.