ci(codeql): add CodeQL analysis workflow for this repository

[bedatty]

GitHub Actions Shared Workflows

---

Description

Adds a CodeQL analysis self workflow (self-codeql.yml) to scan this repository's GitHub Actions workflows and composite actions for security issues such as script injection, untrusted input usage, and other common Actions vulnerabilities.

• Language: actions (GitHub Actions-specific analysis)
• Triggers: push/PR on develop and main, weekly schedule (Monday 06:00 UTC), and manual dispatch
• Results: uploaded as SARIF to the GitHub Security tab

Type of Change

• feat: New workflow or new input/output/step in an existing workflow
• fix: Bug fix in a workflow (incorrect behavior, broken step, wrong condition)
• perf: Performance improvement (e.g. caching, parallelism, reduced steps)
• refactor: Internal restructuring with no behavior change
• docs: Documentation only (README, docs/, inline comments)
• ci: Changes to self-CI (workflows under .github/workflows/ that run on this repo)
• chore: Dependency bumps, config updates, maintenance
• test: Adding or updating tests
• BREAKING CHANGE: Callers must update their configuration after this PR

Breaking Changes

None.

Testing

• YAML syntax validated locally
• Triggered a real workflow run on a caller repository using @develop or the beta tag
• Verified all existing inputs still work with default values
• Confirmed no secrets or tokens are printed in logs
• Checked that unrelated workflows are not affected

Caller repo / workflow run: N/A — self-CI workflow, will run on this PR once merged.

Related Issues

N/A

Summary by CodeRabbit

• Chores
  • Added automated code scanning workflow to enhance security analysis and detection on designated branches.

[coderabbitai]

Walkthrough

A new GitHub Actions workflow file was introduced to enable CodeQL security analysis. The workflow executes on push/pull request events to develop and main branches, runs weekly on Mondays, and supports manual dispatch. It performs CodeQL initialization and analysis across configured languages using official GitHub actions.

Changes

Cohort / File(s)	Summary
GitHub Actions Workflow .github/workflows/self-codeql.yml	Added new CodeQL workflow with triggers for develop/main branches, weekly schedule (Mondays 06:00 UTC), and manual dispatch. Configures analyze job on blacksmith-4vcpu-ubuntu-2404 runner with CodeQL initialization and analysis over actions language. Grants read repository and write security-events permissions.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'ci(codeql): add CodeQL analysis workflow for this repository' directly and specifically describes the main change: adding a CodeQL workflow for self-CI purposes.
Description check	✅ Passed	The description fully completes the template with all required sections: clear summary of changes, correct type of change marked (ci), no breaking changes noted, comprehensive testing checklist completed with appropriate explanations for N/A items.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ci/add-self-codeql

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[lerian-studio]

🔍 Lint Analysis

Check	Files Scanned	Status
YAML Lint	1 file(s)	✅ success
Action Lint	1 file(s)	✅ success
Pinned Actions	1 file(s)	✅ success
Markdown Link Check	no changes	⏭️ skipped
Spelling Check	1 file(s)	✅ success
Shell Check	1 file(s)	✅ success
README Check	1 file(s)	✅ success
Composite Schema	no changes	⏭️ skipped

---

_{🔍 View full scan logs}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/self-codeql.yml:
- Around line 22-45: Replace the embedded CodeQL job logic in self-codeql.yml
(the "analyze" job with its runs-on, strategy/matrix and step list including
"Perform CodeQL Analysis") with a single delegation to the repository's reusable
CodeQL workflow: remove the job-level business logic (runs-on, matrix, and
steps) and instead add a job that calls the reusable workflow using uses: with
required inputs/parameters (e.g., language/category) so this self-* entrypoint
only invokes the reusable workflow and does not contain analysis steps itself.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: ASSERTIVE

Plan: Pro

Run ID: b5d4914c-c979-4674-84ef-a40df3216660

📥 Commits

Reviewing files that changed from the base of the PR and between 1f9c77e and ea4ffca.

📒 Files selected for processing (1)

• .github/workflows/self-codeql.yml

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Self entrypoint should delegate to a reusable workflow instead of embedding CodeQL job logic.

This self-codeql.yml implements the full analysis job directly (runs-on, matrix, steps). For this repository’s self-* workflows, the entrypoint should only call a corresponding reusable workflow via local path and avoid business logic in the self file.

Suggested refactor direction

 jobs:
   analyze:
-    name: CodeQL Analysis
-    runs-on: blacksmith-4vcpu-ubuntu-2404
-    strategy:
-      fail-fast: false
-      matrix:
-        language:
-          - actions
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v6
-      - name: Initialize CodeQL
-        uses: github/codeql-action/init@v4
-        with:
-          languages: ${{ matrix.language }}
-      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v4
-        with:
-          category: '/language:${{ matrix.language }}'
+    uses: ./.github/workflows/codeql.yml
+    # pass inputs/secrets here once reusable workflow exists

As per coding guidelines: ".github/workflows/self-*.yml ... Must call the corresponding reusable workflow via local path and contain no business logic."

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/self-codeql.yml around lines 22 - 45, Replace the embedded
CodeQL job logic in self-codeql.yml (the "analyze" job with its runs-on,
strategy/matrix and step list including "Perform CodeQL Analysis") with a single
delegation to the repository's reusable CodeQL workflow: remove the job-level
business logic (runs-on, matrix, and steps) and instead add a job that calls the
reusable workflow using uses: with required inputs/parameters (e.g.,
language/category) so this self-* entrypoint only invokes the reusable workflow
and does not contain analysis steps itself.