Skip to content

ci(codeql): add CodeQL analysis workflow for this repository#162

Open
bedatty wants to merge 1 commit intodevelopfrom
ci/add-self-codeql
Open

ci(codeql): add CodeQL analysis workflow for this repository#162
bedatty wants to merge 1 commit intodevelopfrom
ci/add-self-codeql

Conversation

@bedatty
Copy link
Contributor

@bedatty bedatty commented Mar 20, 2026
edited by coderabbitai bot
Loading

Lerian

GitHub Actions Shared Workflows

Description

Adds a CodeQL analysis self workflow (self-codeql.yml) to scan this repository's GitHub Actions workflows and composite actions for security issues such as script injection, untrusted input usage, and other common Actions vulnerabilities.

  • Language: actions (GitHub Actions-specific analysis)
  • Triggers: push/PR on develop and main, weekly schedule (Monday 06:00 UTC), and manual dispatch
  • Results: uploaded as SARIF to the GitHub Security tab

Type of Change

  • feat: New workflow or new input/output/step in an existing workflow
  • fix: Bug fix in a workflow (incorrect behavior, broken step, wrong condition)
  • perf: Performance improvement (e.g. caching, parallelism, reduced steps)
  • refactor: Internal restructuring with no behavior change
  • docs: Documentation only (README, docs/, inline comments)
  • ci: Changes to self-CI (workflows under .github/workflows/ that run on this repo)
  • chore: Dependency bumps, config updates, maintenance
  • test: Adding or updating tests
  • BREAKING CHANGE: Callers must update their configuration after this PR

Breaking Changes

None.

Testing

  • YAML syntax validated locally
  • Triggered a real workflow run on a caller repository using @develop or the beta tag
  • Verified all existing inputs still work with default values
  • Confirmed no secrets or tokens are printed in logs
  • Checked that unrelated workflows are not affected

Caller repo / workflow run: N/A — self-CI workflow, will run on this PR once merged.

Related Issues

N/A

Summary by CodeRabbit

  • Chores
    • Added automated code scanning workflow to enhance security analysis and detection on designated branches.

@bedatty bedatty requested a review from a team as a code owner March 20, 2026 20:57
@coderabbitai
Copy link

coderabbitai bot commented Mar 20, 2026
edited
Loading

Walkthrough

A new GitHub Actions workflow file was introduced to enable CodeQL security analysis. The workflow executes on push/pull request events to develop and main branches, runs weekly on Mondays, and supports manual dispatch. It performs CodeQL initialization and analysis across configured languages using official GitHub actions.

Changes

Cohort / File(s) Summary
GitHub Actions Workflow
.github/workflows/self-codeql.yml		 Added new CodeQL workflow with triggers for develop/main branches, weekly schedule (Mondays 06:00 UTC), and manual dispatch. Configures analyze job on blacksmith-4vcpu-ubuntu-2404 runner with CodeQL initialization and analysis over actions language. Grants read repository and write security-events permissions.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Title check ✅ Passed The title 'ci(codeql): add CodeQL analysis workflow for this repository' directly and specifically describes the main change: adding a CodeQL workflow for self-CI purposes.
Description check ✅ Passed The description fully completes the template with all required sections: clear summary of changes, correct type of change marked (ci), no breaking changes noted, comprehensive testing checklist completed with appropriate explanations for N/A items.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch ci/add-self-codeql

Comment @coderabbitai help to get the list of available commands and usage tips.

@lerian-studio lerian-studio added the size/XS PR changes < 50 lines label Mar 20, 2026
@github-actions github-actions bot added workflow Changes to one or more reusable workflow files and removed size/XS PR changes < 50 lines labels Mar 20, 2026
@lerian-studio
Copy link

lerian-studio commented Mar 20, 2026

🔍 Lint Analysis

Check Files Scanned Status
YAML Lint 1 file(s) ✅ success
Action Lint 1 file(s) ✅ success
Pinned Actions 1 file(s) ✅ success
Markdown Link Check no changes ⏭️ skipped
Spelling Check 1 file(s) ✅ success
Shell Check 1 file(s) ✅ success
README Check 1 file(s) ✅ success
Composite Schema no changes ⏭️ skipped

🔍 View full scan logs

@bedatty bedatty self-assigned this Mar 20, 2026
coderabbitai[bot]
coderabbitai bot requested changes Mar 20, 2026
View reviewed changes
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents 
Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/self-codeql.yml:
- Around line 22-45: Replace the embedded CodeQL job logic in self-codeql.yml
(the "analyze" job with its runs-on, strategy/matrix and step list including
"Perform CodeQL Analysis") with a single delegation to the repository's reusable
CodeQL workflow: remove the job-level business logic (runs-on, matrix, and
steps) and instead add a job that calls the reusable workflow using uses: with
required inputs/parameters (e.g., language/category) so this self-* entrypoint
only invokes the reusable workflow and does not contain analysis steps itself.
ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: ASSERTIVE

Plan: Pro

Run ID: b5d4914c-c979-4674-84ef-a40df3216660

📥 Commits

Reviewing files that changed from the base of the PR and between 1f9c77e and ea4ffca.

📒 Files selected for processing (1)
  • .github/workflows/self-codeql.yml

.github/workflows/self-codeql.yml
Comment on lines +22 to +45
jobs:
analyze:
name: CodeQL Analysis
runs-on: blacksmith-4vcpu-ubuntu-2404

strategy:
fail-fast: false
matrix:
language:
- actions

steps:
- name: Checkout repository
uses: actions/checkout@v6

- name: Initialize CodeQL
uses: github/codeql-action/init@v4
with:
languages: ${{ matrix.language }}

- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v4
with:
category: '/language:${{ matrix.language }}'
Copy link

@coderabbitai coderabbitai bot Mar 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Self entrypoint should delegate to a reusable workflow instead of embedding CodeQL job logic.

This self-codeql.yml implements the full analysis job directly (runs-on, matrix, steps). For this repository’s self-* workflows, the entrypoint should only call a corresponding reusable workflow via local path and avoid business logic in the self file.

Suggested refactor direction 
 jobs:
   analyze:
-    name: CodeQL Analysis
-    runs-on: blacksmith-4vcpu-ubuntu-2404
-    strategy:
-      fail-fast: false
-      matrix:
-        language:
-          - actions
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v6
-      - name: Initialize CodeQL
-        uses: github/codeql-action/init@v4
-        with:
-          languages: ${{ matrix.language }}
-      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v4
-        with:
-          category: '/language:${{ matrix.language }}'
+    uses: ./.github/workflows/codeql.yml
+    # pass inputs/secrets here once reusable workflow exists

As per coding guidelines: ".github/workflows/self-*.yml ... Must call the corresponding reusable workflow via local path and contain no business logic."

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/self-codeql.yml around lines 22 - 45, Replace the embedded
CodeQL job logic in self-codeql.yml (the "analyze" job with its runs-on,
strategy/matrix and step list including "Perform CodeQL Analysis") with a single
delegation to the repository's reusable CodeQL workflow: remove the job-level
business logic (runs-on, matrix, and steps) and instead add a job that calls the
reusable workflow using uses: with required inputs/parameters (e.g.,
language/category) so this self-* entrypoint only invokes the reusable workflow
and does not contain analysis steps itself.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] requested changes

Requested changes must be addressed to merge this pull request.

Assignees

@bedatty bedatty

Labels

workflow Changes to one or more reusable workflow files

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@bedatty @lerian-studio