Skip to content

ci(codeql): add CodeQL analysis workflow for this repository #162

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
bedatty wants to merge 1 commit into
base: develop
Choose a base branch
from
Open

ci(codeql): add CodeQL analysis workflow for this repository #162

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
45 changes: 45 additions & 0 deletions .github/workflows/self-codeql.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
name: Self — CodeQL

on:
push:
branches:
- develop
- main
pull_request:
branches:
- develop
- main
schedule:
# Run every Monday at 06:00 UTC
- cron: '0 6 * * 1'
workflow_dispatch:

permissions:
contents: read
security-events: write
actions: read

jobs:
analyze:
name: CodeQL Analysis
runs-on: blacksmith-4vcpu-ubuntu-2404

strategy:
fail-fast: false
matrix:
language:
- actions

steps:
- name: Checkout repository
uses: actions/checkout@v6

- name: Initialize CodeQL
uses: github/codeql-action/init@v4
with:
languages: ${{ matrix.language }}

- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v4
with:
category: '/language:${{ matrix.language }}'
Comment on lines +22 to +45
Copy link

@coderabbitai coderabbitai bot Mar 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Self entrypoint should delegate to a reusable workflow instead of embedding CodeQL job logic.

This self-codeql.yml implements the full analysis job directly (runs-on, matrix, steps). For this repository’s self-* workflows, the entrypoint should only call a corresponding reusable workflow via local path and avoid business logic in the self file.

Suggested refactor direction 
 jobs:
   analyze:
-    name: CodeQL Analysis
-    runs-on: blacksmith-4vcpu-ubuntu-2404
-    strategy:
-      fail-fast: false
-      matrix:
-        language:
-          - actions
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v6
-      - name: Initialize CodeQL
-        uses: github/codeql-action/init@v4
-        with:
-          languages: ${{ matrix.language }}
-      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v4
-        with:
-          category: '/language:${{ matrix.language }}'
+    uses: ./.github/workflows/codeql.yml
+    # pass inputs/secrets here once reusable workflow exists

As per coding guidelines: ".github/workflows/self-*.yml ... Must call the corresponding reusable workflow via local path and contain no business logic."

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/self-codeql.yml around lines 22 - 45, Replace the embedded
CodeQL job logic in self-codeql.yml (the "analyze" job with its runs-on,
strategy/matrix and step list including "Perform CodeQL Analysis") with a single
delegation to the repository's reusable CodeQL workflow: remove the job-level
business logic (runs-on, matrix, and steps) and instead add a job that calls the
reusable workflow using uses: with required inputs/parameters (e.g.,
language/category) so this self-* entrypoint only invokes the reusable workflow
and does not contain analysis steps itself.

Loading