dvcdsys · dvcdsys · Apr 27, 2026 · Apr 27, 2026 · Apr 27, 2026
diff --git a/.github/workflows/ci-cli.yml b/.github/workflows/ci-cli.yml
@@ -0,0 +1,46 @@
+name: "CI: CLI"
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - "cli/**"
+      - ".github/workflows/ci-cli.yml"
+  pull_request:
+    branches: [main]
+    paths:
+      - "cli/**"
+      - ".github/workflows/ci-cli.yml"
+
+permissions:
+  contents: read
+
+jobs:
+  test:
+    name: Test (${{ matrix.os }})
+    runs-on: ${{ matrix.os }}
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ubuntu-latest, macos-latest]
+    defaults:
+      run:
+        working-directory: cli
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: cli/go.mod
+          cache-dependency-path: cli/go.sum
+
+      - name: Vet
+        run: go vet ./...
+
+      - name: Test
+        run: go test -race ./...
+
+      - name: Build
+        run: go build ./...
diff --git a/.github/workflows/ci-go.yml → .github/workflows/ci-server.yml b/.github/workflows/ci-go.yml → .github/workflows/ci-server.yml
@@ -1,20 +1,19 @@
-name: CI — Go server
+name: "CI: Server"
 
 on:
   push:
     branches: [main]
     paths:
       - "server/**"
-      - ".github/workflows/ci-go.yml"
+      - ".github/workflows/ci-server.yml"
   pull_request:
     branches: [main]
     paths:
       - "server/**"
-      - ".github/workflows/ci-go.yml"
+      - ".github/workflows/ci-server.yml"
 
-# Read-only token: this workflow runs vet/test/build only — no writes to
-# the repo, no SARIF upload, no package publish. CodeQL flagged the
-# missing block (.github/workflows/ci-go.yml:37 — go/missing-permissions).
+# Read-only: vet/test/build only. CodeQL flagged the implicit block as
+# go/missing-permissions, hence the explicit declaration.
 permissions:
   contents: read
 
@@ -24,20 +23,21 @@ jobs:
     defaults:
       run:
         working-directory: server
-
     steps:
-      - uses: actions/checkout@v4
+      - name: Checkout
+        uses: actions/checkout@v4
 
-      - uses: actions/setup-go@v5
+      - name: Set up Go
+        uses: actions/setup-go@v5
         with:
           go-version-file: server/go.mod
           cache-dependency-path: server/go.sum
 
-      - name: go vet
+      - name: Vet
         run: go vet ./...
 
-      - name: go test
+      - name: Test
         run: go test -race ./...
 
-      - name: go build
+      - name: Build
         run: go build ./...
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -0,0 +1,56 @@
+name: "CodeQL"
+
+# Advanced setup. Replaces GitHub's "default setup" which auto-detects
+# and scans every language it finds — that included java-kotlin, ruby,
+# rust, javascript-typescript, c-cpp, python false-positives from
+# vendored CGO deps and the archived legacy/python-api/ tree.
+#
+# To stop the duplicate runs you also need to disable the default
+# setup once: GitHub repo → Settings → Code security → Code scanning
+# → "CodeQL analysis" → Switch to advanced (or Disable).
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  schedule:
+    - cron: "0 6 * * 1"  # Mondays at 06:00 UTC, mirrors security.yml
+
+permissions:
+  contents: read
+  security-events: write
+  actions: read
+
+jobs:
+  analyze:
+    name: Analyze (${{ matrix.language }})
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        # Keep tightly scoped: only languages that actually ship code.
+        # `actions` lints workflow YAML; `go` covers server + CLI.
+        # Do NOT add python (only legacy/python-api/, archived) or
+        # c-cpp (only transitive CGO deps, no first-party C).
+        language: [actions, go]
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: ${{ matrix.language }}
+          # security-extended adds rules beyond the default set; matches
+          # what the default setup runs.
+          queries: security-extended
+
+      - name: Autobuild
+        if: matrix.language == 'go'
+        uses: github/codeql-action/autobuild@v3
+
+      - name: Analyze
+        uses: github/codeql-action/analyze@v3
+        with:
+          category: "/language:${{ matrix.language }}"
diff --git a/.github/workflows/release-cli.yml b/.github/workflows/release-cli.yml
@@ -1,122 +1,119 @@
-name: Release CLI
+name: "Release: CLI"
 
+# Triggered by CLI-namespaced tags (e.g. `cli/v0.4.0`). Server releases
+# use `server/v*`. Bare `v*` tags are the historical pre-split CLI line
+# and are no longer wired to any workflow.
 on:
   push:
     tags:
-      - "v*"
+      - "cli/v*"
 
 permissions:
   contents: write
 
 jobs:
-  build-linux:
-    name: Build ${{ matrix.target }}
-    runs-on: ubuntu-latest
+  build:
+    name: Build (${{ matrix.target }})
+    runs-on: ${{ matrix.runner }}
     strategy:
+      fail-fast: false
       matrix:
         include:
-          - target: linux-arm64
-            goarch: arm64
           - target: linux-amd64
+            runner: ubuntu-latest
+            goos: linux
             goarch: amd64
-
-    steps:
-      - uses: actions/checkout@v6
-
-      - uses: actions/setup-go@v6
-        with:
-          go-version-file: cli/go.mod
-          cache-dependency-path: cli/go.sum
-
-      - name: Build
-        working-directory: cli
-        env:
-          GOOS: linux
-          GOARCH: ${{ matrix.goarch }}
-          CGO_ENABLED: "0"
-        run: |
-          VERSION="${{ github.ref_name }}"
-          go build \
-            -ldflags="-s -w -X 'github.com/anthropics/code-index/cli/cmd.Version=${VERSION}'" \
-            -o "dist/cix" .
-
-      - name: Package
-        working-directory: cli
-        run: |
-          cd dist
-          tar -czf "cix-${{ matrix.target }}.tar.gz" cix
-          rm cix
-
-      - uses: actions/upload-artifact@v7
-        with:
-          name: cix-${{ matrix.target }}
-          path: cli/dist/cix-${{ matrix.target }}.*
-
-  build-darwin:
-    name: Build ${{ matrix.target }}
-    runs-on: macos-latest
-    strategy:
-      matrix:
-        include:
-          - target: darwin-arm64
+            cgo: "0"
+          - target: linux-arm64
+            runner: ubuntu-latest
+            goos: linux
             goarch: arm64
+            cgo: "0"
           - target: darwin-amd64
+            runner: macos-latest
+            goos: darwin
             goarch: amd64
-
+            cgo: "1"
+          - target: darwin-arm64
+            runner: macos-latest
+            goos: darwin
+            goarch: arm64
+            cgo: "1"
     steps:
-      - uses: actions/checkout@v6
+      - name: Checkout
+        uses: actions/checkout@v4
 
-      - uses: actions/setup-go@v6
+      - name: Set up Go
+        uses: actions/setup-go@v5
         with:
           go-version-file: cli/go.mod
           cache-dependency-path: cli/go.sum
 
       - name: Build
         working-directory: cli
         env:
-          GOOS: darwin
+          GOOS: ${{ matrix.goos }}
           GOARCH: ${{ matrix.goarch }}
-          CGO_ENABLED: "1"
+          CGO_ENABLED: ${{ matrix.cgo }}
         run: |
-          VERSION="${{ github.ref_name }}"
+          # Strip `cli/` namespace prefix — binaries report `v0.4.0`, not `cli/v0.4.0`.
+          VERSION="${GITHUB_REF_NAME#cli/}"
           go build \
             -ldflags="-s -w -X 'github.com/anthropics/code-index/cli/cmd.Version=${VERSION}'" \
             -o "dist/cix" .
 
       - name: Package
-        working-directory: cli
+        working-directory: cli/dist
         run: |
-          cd dist
           tar -czf "cix-${{ matrix.target }}.tar.gz" cix
           rm cix
 
-      - uses: actions/upload-artifact@v7
+      - name: Upload artifacts
+        uses: actions/upload-artifact@v4
         with:
           name: cix-${{ matrix.target }}
-          path: cli/dist/cix-${{ matrix.target }}.*
+          path: cli/dist/cix-${{ matrix.target }}.tar.gz
 
   release:
-    name: Create Release
-    needs: [build-linux, build-darwin]
+    name: Publish release
+    needs: [build]
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - name: Checkout
+        uses: actions/checkout@v4
 
-      - uses: actions/download-artifact@v8
+      - name: Download artifacts
+        uses: actions/download-artifact@v4
         with:
           path: artifacts
           merge-multiple: true
 
-      - name: Checksums
-        run: |
-          cd artifacts
-          sha256sum * > checksums.txt
+      - name: Compute checksums
+        working-directory: artifacts
+        run: sha256sum * > checksums.txt
+
+      - name: Extract version
+        id: ver
+        run: echo "version=${GITHUB_REF_NAME#cli/}" >> "$GITHUB_OUTPUT"
 
-      - name: Create GitHub Release
+      - name: Create GitHub release
         uses: softprops/action-gh-release@v2
         with:
+          name: "CLI ${{ steps.ver.outputs.version }}"
           files: |
             artifacts/*.tar.gz
             artifacts/checksums.txt
           generate_release_notes: true
-          make_latest: "legacy"
+          # Server releases own the "latest" pointer (Docker image is the
+          # primary deliverable). CLI installs filter by `cli/` tag prefix.
+          make_latest: "false"
+          body: |
+            ## Install
+
+            ```bash
+            curl -fsSL https://raw.githubusercontent.com/dvcdsys/code-index/main/install.sh | bash
+            ```
+
+            Re-run the same command later to upgrade — the installer
+            picks the latest `cli/v*` release and skips if you already
+            have it (use `--force` to reinstall).