From 877e05c136fbbc0c39eefff7b1ccbffb0c4bbd4a Mon Sep 17 00:00:00 2001 From: DJ Date: Mon, 30 Mar 2026 19:48:31 -0700 Subject: [PATCH 1/3] ci: enable CodeQL security analysis Add CodeQL workflow to scan GitHub Actions workflows for security issues. Runs on push/PR to main and weekly on Mondays. Co-Authored-By: Claude Opus 4.6 (1M context) --- .github/workflows/codeql.yml | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 .github/workflows/codeql.yml diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 0000000..cf555ef --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,29 @@ +name: CodeQL + +on: + push: + branches: [main] + pull_request: + branches: [main] + schedule: + - cron: '0 6 * * 1' + +permissions: + security-events: write + contents: read + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-24.04 + steps: + - name: Checkout + uses: actions/checkout@v5 + + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: actions + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v3 From 514ce02997089bab260800feaa0927856b6335f8 Mon Sep 17 00:00:00 2001 From: DJ Date: Mon, 30 Mar 2026 20:09:17 -0700 Subject: [PATCH 2/3] fix: align CodeQL config with petry-projects org standards Co-Authored-By: Claude Opus 4.6 (1M context) --- .github/workflows/codeql.yml | 23 +++++++++++++++-------- 1 file changed, 15 insertions(+), 8 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index cf555ef..0fc3511 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -8,22 +8,29 @@ on: schedule: - cron: '0 6 * * 1' -permissions: - security-events: write - contents: read +permissions: {} jobs: analyze: name: Analyze - runs-on: ubuntu-24.04 + runs-on: ubuntu-latest + permissions: + security-events: write + contents: read + strategy: + fail-fast: false + matrix: + language: ['actions'] steps: - name: Checkout - uses: actions/checkout@v5 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Initialize CodeQL - uses: github/codeql-action/init@v3 + uses: github/codeql-action/init@c10b8064de6f491fea524254123dbe5e09572f13 # v4 with: - languages: actions + languages: ${{ matrix.language }} - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 + uses: github/codeql-action/analyze@c10b8064de6f491fea524254123dbe5e09572f13 # v4 + with: + category: '/language:${{ matrix.language }}' From f04672ac421b45273a1dc3d48eb75d31d1d93466 Mon Sep 17 00:00:00 2001 From: DJ Date: Mon, 30 Mar 2026 20:12:48 -0700 Subject: [PATCH 3/3] style: use multi-line branch list to match existing workflow style Co-Authored-By: Claude Opus 4.6 (1M context) --- .github/workflows/codeql.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 0fc3511..5365b33 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -2,9 +2,11 @@ name: CodeQL on: push: - branches: [main] + branches: + - main pull_request: - branches: [main] + branches: + - main schedule: - cron: '0 6 * * 1'