From 2c0bc64f9a10e0fed6d9b6551b4ff21f2eb8c5ae Mon Sep 17 00:00:00 2001 From: William Martin <223556219+Copilot@users.noreply.github.com> Date: Wed, 20 May 2026 16:42:08 +0200 Subject: [PATCH 1/3] Add CodeQL workflow Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- .github/workflows/codeql.yml | 45 ++++++++++++++++++++++++++++++++++++ 1 file changed, 45 insertions(+) create mode 100644 .github/workflows/codeql.yml diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 0000000..ba5340b --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,45 @@ +name: Code Scanning + +on: + push: + branches: [main] + pull_request: + branches: [main] + paths-ignore: + - '**/*.md' + schedule: + - cron: "0 0 * * 0" + +permissions: + actions: read # for github/codeql-action/init to get workflow details + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/analyze to upload SARIF results + +jobs: + CodeQL-Build: + runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: + language: ['go', 'actions'] + + steps: + - name: Check out code + uses: actions/checkout@v6 + + - name: Setup Go + if: matrix.language == 'go' + uses: actions/setup-go@v6 + with: + go-version-file: "go.mod" + + - name: Initialize CodeQL + uses: github/codeql-action/init@v4 + with: + languages: ${{ matrix.language }} + queries: security-and-quality + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v4 + with: + category: "/language:${{ matrix.language }}" From 172e7d819875477fbf35445b420ede04c79099bd Mon Sep 17 00:00:00 2001 From: William Martin <223556219+Copilot@users.noreply.github.com> Date: Wed, 20 May 2026 16:55:20 +0200 Subject: [PATCH 2/3] Address CodeQL workflow review feedback - Add persist-credentials: false to checkout for consistency with ci.yml/lint.yml - Add explicit 'go build ./...' step between init and analyze so the Go CodeQL database is populated reliably without relying on autobuild Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- .github/workflows/codeql.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index ba5340b..c3368f3 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -26,6 +26,8 @@ jobs: steps: - name: Check out code uses: actions/checkout@v6 + with: + persist-credentials: false - name: Setup Go if: matrix.language == 'go' @@ -39,6 +41,10 @@ jobs: languages: ${{ matrix.language }} queries: security-and-quality + - name: Build Go + if: matrix.language == 'go' + run: go build ./... + - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v4 with: From 1bb2336079deafc57645f9dfc4367b6d615c74a6 Mon Sep 17 00:00:00 2001 From: William Martin <223556219+Copilot@users.noreply.github.com> Date: Wed, 20 May 2026 17:20:08 +0200 Subject: [PATCH 3/3] Drop redundant Go build step Per CodeQL docs (https://docs.github.com/en/code-security/reference/code-scanning/codeql/codeql-build-options-and-steps-for-compiled-languages#building-go), Go is the exception among compiled languages: the default autobuild already extracts all Go code, similar to running 'go build ./...'. The explicit step was redundant and, without build-mode: manual, would have caused Go to be built twice. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- .github/workflows/codeql.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index c3368f3..e99d12b 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -41,10 +41,6 @@ jobs: languages: ${{ matrix.language }} queries: security-and-quality - - name: Build Go - if: matrix.language == 'go' - run: go build ./... - - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v4 with: