Add CodeQL analysis workflow configuration

[nisavid]

Summary by CodeRabbit

• Chores
  • Added an automated CodeQL analysis workflow to run continuous security and code-quality scans on pushes, pull requests, a weekly schedule, and via manual trigger, providing regular vulnerability and quality feedback and reporting for the repository.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 9c446500-b77e-4da4-9313-28ad21aa1f12

📥 Commits

Reviewing files that changed from the base of the PR and between 58cbe58 and d55552b.

📒 Files selected for processing (1)

• .github/workflows/codeql.yml

---

📝 Walkthrough

Walkthrough

Adds a GitHub Actions workflow (.github/workflows/codeql.yml) named "CodeQL Advanced" that triggers on pushes/PRs to main, weekly schedule, and manual dispatch; it runs an analyze job on ubuntu-latest with a language/build-mode matrix and CodeQL init/analyze steps.

Changes

CodeQL Workflow Setup

Layer / File(s)	Summary
Workflow Triggers & Metadata .github/workflows/codeql.yml	Adds workflow name, triggers (push/PR to main, weekly cron, workflow_dispatch) and top-level permissions.
Job Configuration & Matrix .github/workflows/codeql.yml	Defines analyze job on ubuntu-latest, 30m timeout, and language matrix for actions, javascript-typescript, and rust with per-language build-mode.
Checkout, Init, and Analyze Steps .github/workflows/codeql.yml	Steps: checkout repo, initialize CodeQL using matrix languages and build-mode, and run CodeQL analysis with language category.

Sequence Diagram(s)

sequenceDiagram
  participant GitHub as "GitHub Trigger"
  participant Runner as "ubuntu-latest Runner"
  participant Checkout as "actions/checkout"
  participant CodeQLInit as "codeql-action/init@v4"
  participant CodeQLAnalyze as "codeql-action/analyze@v4"
  GitHub->>Runner: push/PR/cron/dispatch
  Runner->>Checkout: checkout repository
  Runner->>CodeQLInit: init with matrix languages & build-mode
  CodeQLInit->>CodeQLAnalyze: prepare DB & queries for language
  CodeQLAnalyze->>Runner: run analysis & upload results

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 I hopped through YAML lines tonight,
I added scans to catch a plight,
Three languages in tidy rows,
CodeQL prowls where caution goes,
I nibble bugs beneath the light.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Add CodeQL analysis workflow configuration' accurately and concisely describes the main change: adding a CodeQL Advanced workflow file.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[greptile-apps]

Greptile Summary

This PR adds a CodeQL Advanced analysis workflow that runs security and code-quality scans on pushes, pull requests targeting main, and on a weekly schedule.

• Configures three language matrices — actions, javascript-typescript, and rust — all using build-mode: none, with github/codeql-action@v4 (the current supported version) and actions/checkout@v6 consistent with the rest of the repo.
• Grants the minimum required permissions (actions: read, contents: read, security-events: write) and includes a workflow_dispatch trigger for manual runs.

Confidence Score: 5/5

Safe to merge — this adds an opt-in CI workflow with no impact on existing build or release pipelines.

The change introduces a new, isolated workflow file. It uses current action versions, scoped permissions, and does not touch any application code or other workflows. The Rust build-mode concern noted in prior review threads is a scan-quality trade-off rather than a correctness or security issue with the workflow itself.

No files require special attention.

Important Files Changed

Filename	Overview
.github/workflows/codeql.yml	New CodeQL workflow covering actions, javascript-typescript, and rust; uses correct action versions and minimal permissions; Rust analysis quality may be limited by build-mode: none (already flagged in prior review threads).

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A([Trigger]) --> B{Event type}
    B -->|push to main| C[Start analyze job]
    B -->|pull_request targeting main| C
    B -->|schedule: weekly Tue 19:34| C
    B -->|workflow_dispatch| C

    C --> D[Matrix strategy\nfail-fast: false]
    D --> E1[language: actions\nbuild-mode: none]
    D --> E2[language: javascript-typescript\nbuild-mode: none]
    D --> E3[language: rust\nbuild-mode: none]

    E1 --> F1[Checkout @ v6]
    E2 --> F2[Checkout @ v6]
    E3 --> F3[Checkout @ v6]

    F1 --> G1[CodeQL init @ v4]
    F2 --> G2[CodeQL init @ v4]
    F3 --> G3[CodeQL init @ v4]

    G1 --> H1[CodeQL analyze @ v4]
    G2 --> H2[CodeQL analyze @ v4]
    G3 --> H3[CodeQL analyze @ v4]

    H1 --> I[Post results to GitHub Security tab]
    H2 --> I
    H3 --> I

Loading

_{Reviews (3): Last reviewed commit: "fix(codeql): use supported Rust build mo..." | Re-trigger Greptile}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/codeql.yml:
- Around line 16-18: The YAML uses flow-style brackets with extra spaces in the
"branches: [ \"main\" ]" entries which triggers yamllint errors; edit the
workflow file to remove the inner spaces so both occurrences of the branches key
use "branches: [\"main\"]" (update the lines containing the branches entries in
the codeql.yml so they match the corrected bracket spacing).
- Around line 62-63: Replace floating action tags with immutable commit SHAs:
locate each occurrence of the action references (e.g., the uses:
actions/checkout@v4 entry and the other uses: ...@v4 entries in this workflow)
and replace the `@v4` tag with the corresponding full commit SHA from that
action's releases page (for example, actions/checkout and github/codeql-action).
Update each uses: line so it references the full SHA string instead of a
floating tag to ensure reproducible CI behavior.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 6e6e2f83-3bdc-468c-bef0-3214ce3a4093

📥 Commits

Reviewing files that changed from the base of the PR and between 37ccaae and b5fa13f.

📒 Files selected for processing (1)

• .github/workflows/codeql.yml

[Copilot]

Pull request overview

Adds a GitHub Actions workflow to run GitHub CodeQL “advanced” code scanning on main pushes/PRs and on a weekly schedule, to improve automated security and quality analysis for the repository.

Changes:

• Introduces .github/workflows/codeql.yml to run CodeQL analysis for Actions, JavaScript/TypeScript, and Rust.
• Configures a language/build-mode matrix and standard CodeQL init/analyze steps.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[coderabbitai]

♻️ Duplicate comments (1)

.github/workflows/codeql.yml (1)

35-45: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Pin action refs to immutable SHAs (not floating major tags).

Line 36, Line 39, and Line 45 use movable tags (@v6, @v4). That allows CI behavior to change without a PR when upstream tags move. Pin each uses: reference to a full commit SHA.

Suggested change

-      - name: Checkout repository
-        uses: actions/checkout@v6
+      - name: Checkout repository
+        uses: actions/checkout@<checkout_v6_commit_sha>

-      - name: Initialize CodeQL
-        uses: github/codeql-action/init@v4
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@<codeql_action_v4_commit_sha>

-      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v4
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@<codeql_action_v4_commit_sha>

#!/bin/bash
set -euo pipefail

# 1) Verify floating action tags still exist in this workflow.
# Expected after fix: no output.
rg -nP '^\s*uses:\s*[^@]+@v[0-9]+(?:\.[0-9]+){0,2}\s*$' .github/workflows/codeql.yml || true

# 2) Resolve current commit SHAs for major tags (read-only, GitHub API).
fetch_commit_sha () {
  local repo="$1"
  local tag="$2"
  local ref_json obj_type obj_sha
  ref_json="$(curl -fsSL "https://api.github.com/repos/${repo}/git/ref/tags/${tag}")"
  obj_type="$(printf '%s' "$ref_json" | jq -r '.object.type')"
  obj_sha="$(printf '%s' "$ref_json" | jq -r '.object.sha')"

  if [[ "$obj_type" == "tag" ]]; then
    curl -fsSL "https://api.github.com/repos/${repo}/git/tags/${obj_sha}" | jq -r '.object.sha'
  else
    printf '%s\n' "$obj_sha"
  fi
}

echo "actions/checkout@v6 commit SHA: $(fetch_commit_sha actions/checkout v6)"
echo "github/codeql-action@v4 commit SHA: $(fetch_commit_sha github/codeql-action v4)"

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/codeql.yml around lines 35 - 45, Replace the floating
action tags with immutable commit SHAs for each "uses:" entry so the workflow
behavior can't change silently; specifically update the three references
"actions/checkout@v6", "github/codeql-action/init@v4" and
"github/codeql-action/analyze@v4" to their corresponding full commit SHAs (you
can resolve them via the GitHub API or the provided fetch_commit_sha script) and
commit the updated .github/workflows/codeql.yml with the pinned SHAs.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Duplicate comments:
In @.github/workflows/codeql.yml:
- Around line 35-45: Replace the floating action tags with immutable commit SHAs
for each "uses:" entry so the workflow behavior can't change silently;
specifically update the three references "actions/checkout@v6",
"github/codeql-action/init@v4" and "github/codeql-action/analyze@v4" to their
corresponding full commit SHAs (you can resolve them via the GitHub API or the
provided fetch_commit_sha script) and commit the updated
.github/workflows/codeql.yml with the pinned SHAs.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: a23a131f-534f-4619-a00a-2a613e4f235f

📥 Commits

Reviewing files that changed from the base of the PR and between b5fa13f and 58cbe58.

📒 Files selected for processing (1)

• .github/workflows/codeql.yml

[Copilot]

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated 2 comments.

Stale CodeRabbit review: the actionable YAML spacing comments were fixed, action pinning is intentionally not adopted because this repo follows major-version action tags and CodeQL documents that major tags are recommended for advanced setups, and all current checks pass.

[nisavid]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.