This workflow file is missing the standard Apache 2.0 copyright header that is consistently present in all other workflow files in the repository. All existing workflows start with a copyright notice following the pattern:

# Copyright (c) 2025, NVIDIA CORPORATION.  All rights reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# ...

Add the copyright header to match the established codebase convention.

This workflow uses outdated action versions that don't follow the codebase's established pattern of SHA pinning with version comments.

The repository consistently uses SHA-pinned actions with version comments for security and reproducibility. For example:

• .github/workflows/on-push.yaml:54 uses actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
• .github/actions/security-scan/action.yml:75 uses github/codeql-action/upload-sarif@b20883b0cd1f46c72ae0ba6d1090936928f9fa30 # v4.32.0

Additionally, the versions used here are outdated:

• actions/checkout@v3 should be updated to v6.0.2 (current in repo)
• github/codeql-action/*@v2 should be updated to v4 or later (repo uses v4.32.0)

Update all action references to use SHA pinning with version comments and current versions.

The workflow job is missing a timeout-minutes configuration, which is a standard safety measure used consistently across all other workflows in the repository. For example:

• .github/workflows/on-push.yaml:50 sets timeout-minutes: 15 for unit tests
• .github/workflows/on-push.yaml:96 sets timeout-minutes: 30 for e2e tests
• .github/workflows/vuln-scan.yaml:41 sets timeout-minutes: 30 for security scans

Add an appropriate timeout (e.g., timeout-minutes: 30) to prevent runaway jobs and ensure operational reliability.

The workflow is missing a concurrency group configuration to prevent multiple concurrent runs, which is a standard pattern used across all other workflows in the repository. For example:

• .github/workflows/on-push.yaml:41-43 uses group: ${{ github.workflow }}-${{ github.ref }} with cancel-in-progress: true
• .github/workflows/vuln-scan.yaml:30-32 uses group: scheduled-trivy-scan with cancel-in-progress: false

Add a concurrency configuration appropriate for CodeQL analysis. Since this is a scheduled analysis, consider using cancel-in-progress: false to ensure scans complete even if a new run is triggered.

The workflow enables CodeQL analysis on every push to main and every PR, which creates redundancy with the existing comprehensive security scanning already in place:

1. .github/workflows/on-push.yaml:69-73 runs Trivy security scans (which upload to GitHub Security) on every push and PR
2. .github/workflows/vuln-scan.yaml runs daily scheduled Trivy scans with SARIF upload to GitHub Security

Both workflows already upload security findings to GitHub Security (via security-events: write permission and SARIF upload), providing vulnerability detection coverage.

Consider whether CodeQL provides incremental value beyond the existing Trivy scanning, especially since both integrate with GitHub Security. If CodeQL is needed for static analysis (data flow analysis), limit it to scheduled runs only to avoid redundant CI overhead on every push/PR. You can remove the push: and pull_request: triggers and keep only the schedule: trigger.