Skip to content

ci: enable CodeQL security analysis#29

Open
don-petry wants to merge 3 commits intooneirosoft:mainfrom
don-petry:ci/codeql
Open

ci: enable CodeQL security analysis#29
don-petry wants to merge 3 commits intooneirosoft:mainfrom
don-petry:ci/codeql

Conversation

@don-petry
Copy link
Copy Markdown
Contributor

@don-petry don-petry commented Mar 31, 2026
edited
Loading

Why?

GitHub Actions workflows can contain security vulnerabilities (script injection, overly permissive tokens, unsafe third-party actions). CodeQL's actions language analysis catches these automatically, reducing the risk of supply-chain attacks through CI configuration.

Summary

  • Add CodeQL workflow (.github/workflows/codeql.yml) to scan GitHub Actions workflows for security issues
  • Runs on push/PR to main and on a weekly schedule (Mondays at 06:00 UTC)
  • Uses languages: actions to analyze workflow files; Rust support can be added as CodeQL's Rust analysis matures

Addresses item 8 in #11.

Test plan

  • Verify the workflow triggers on this PR and initializes CodeQL successfully
  • Confirm security-events are written to the Security tab

🤖 Generated with Claude Code

@claude
ci: enable CodeQL security analysis
877e05c 
Add CodeQL workflow to scan GitHub Actions workflows for security
issues. Runs on push/PR to main and weekly on Mondays.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings March 31, 2026 02:48
@don-petry don-petry mentioned this pull request Mar 31, 2026
Closed
Copilot AI reviewed Mar 31, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds GitHub CodeQL code scanning to improve security analysis coverage for the repository’s GitHub Actions workflows (per issue #11 item 8).

Changes:

  • Introduces a new CodeQL workflow that runs on push/PR to main and on a weekly cron schedule.
  • Configures CodeQL to analyze actions (GitHub Actions workflow files) and upload results to the Security tab.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

.github/workflows/codeql.yml Outdated
Comment on lines +5 to +7
branches: [main]
pull_request:
branches: [main]
Copy link

Copilot AI Mar 31, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To match the YAML style used in the existing workflows (e.g., .github/workflows/ci.yml:9-11), consider using the multi-line list form for branches instead of the inline array syntax. This keeps workflow triggers consistent and easier to edit in diffs.

Suggested change
branches: [main]
pull_request:
branches: [main]
branches:
- main
pull_request:
branches:
- main

Copilot uses AI. Check for mistakes.
Copy link
Copy Markdown
Contributor Author

@don-petry don-petry Mar 31, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Addressed in the latest push.

DJ and others added 2 commits March 30, 2026 20:09
@claude
fix: align CodeQL config with petry-projects org standards
514ce02 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@claude
style: use multi-line branch list to match existing workflow style
f04672a 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@don-petry