Summary
Re-enable repository code scanning so GitHub security alerts reflect the current codebase instead of stale historical results.
Why
The repo currently has an open CodeQL alert on src/context.js, but the vulnerable code path was already fixed on main in 6cfc2be on 2026-02-24. The alert remains open because the repository has no CodeQL workflow under .github/workflows, so nothing is rescanning main.
Scope
- add a minimal CodeQL workflow for the repository
- run on push to
main, pull requests targeting main, and a weekly schedule
- scan the JavaScript/TypeScript codebase with least-surprising defaults
- leave existing CI and architecture gates alone
Exit Criteria
- repository has a working CodeQL workflow
- future pushes and PRs trigger code scanning
- stale alert
#28 can be recomputed or dismissed with confidence after the workflow lands
Summary
Re-enable repository code scanning so GitHub security alerts reflect the current codebase instead of stale historical results.
Why
The repo currently has an open CodeQL alert on
src/context.js, but the vulnerable code path was already fixed onmainin6cfc2beon 2026-02-24. The alert remains open because the repository has no CodeQL workflow under.github/workflows, so nothing is rescanningmain.Scope
main, pull requests targetingmain, and a weekly scheduleExit Criteria
#28can be recomputed or dismissed with confidence after the workflow lands