petry-projects · don-petry · Apr 9, 2026 · Apr 9, 2026 · Apr 9, 2026 · Apr 9, 2026
@@ -166,6 +166,64 @@ apply_settings() {
   ok "$ORG/$repo settings updated successfully"
 }
 
+# ---------------------------------------------------------------------------
+# apply_codeql_default_setup — enable GitHub-managed CodeQL default setup
+#
+# Per standards/ci-standards.md#2-codeql-analysis-github-managed-default-setup,
+# CodeQL is configured via the code-scanning/default-setup endpoint, not a
+# per-repo workflow file. Languages are auto-detected from the default branch.
+#
+# Idempotent: if state is already "configured", we no-op. If "not-configured",
+# we PATCH to enable. Repos listed in CODEQL_ADVANCED_EXCEPTIONS are skipped
+# (they are approved to keep an inline codeql.yml; see the escape hatch in
+# ci-standards.md §2). The API rejects updates on repos without code scanning
+# capability (e.g. private repos without GHAS); we log a warning and continue
+# so that --all runs are not blocked by a single unsupported repo.
+# ---------------------------------------------------------------------------
+
+# Repos approved for advanced CodeQL setup (inline codeql.yml).
+# Each entry must have a corresponding standards PR documenting the exception.
+CODEQL_ADVANCED_EXCEPTIONS=()
+
+apply_codeql_default_setup() {
+  local repo="$1"
+  info "Configuring CodeQL default setup for $ORG/$repo ..."
+
+  # Skip repos approved for advanced (inline workflow) CodeQL setup.
+  for exception in "${CODEQL_ADVANCED_EXCEPTIONS[@]}"; do
+    if [ "$repo" = "$exception" ]; then
+      skip "  $repo is in CODEQL_ADVANCED_EXCEPTIONS — skipping default setup"
+      return 0
+    fi
+  done
+
+  local current_state
+  current_state=$(gh api "repos/$ORG/$repo/code-scanning/default-setup" --jq '.state' 2>/dev/null || echo "")
+
+  if [ "$current_state" = "configured" ]; then
+    ok "  CodeQL default setup already configured"
+    return 0
+  fi
+
+  if [ "$DRY_RUN" = "true" ]; then
+    skip "DRY_RUN=true — would enable CodeQL default setup (current state: ${current_state:-unknown})"
+    return 0
+  fi
+
+  local api_err
+  if api_err=$(gh api -X PATCH "repos/$ORG/$repo/code-scanning/default-setup" \
+       -F state=configured \
+       -F query_suite=default 2>&1); then
+    ok "  CodeQL default setup enabled"
+  else
+    # Non-fatal: log warning and continue so --all runs are not blocked by
+    # repos that lack code scanning capability (private without GHAS,
+    # archived, or empty default branch).
+    warn "  Failed to enable CodeQL default setup for $repo — manual review required. API response: $api_err"
+    return 0
+  fi
+}
+
 # ---------------------------------------------------------------------------
 # Main
 # ---------------------------------------------------------------------------
@@ -194,6 +252,7 @@ if [ "$1" = "--all" ]; then
     apply_settings "$repo" || failed=$((failed + 1))
     apply_labels "$repo"
     pp_apply_security_and_analysis "$repo" || failed=$((failed + 1))
+    apply_codeql_default_setup "$repo" || failed=$((failed + 1))
   done
 
   if [ "$failed" -gt 0 ]; then
@@ -206,4 +265,5 @@ else
   apply_settings "$1"
   apply_labels "$1"
   pp_apply_security_and_analysis "$1"
+  apply_codeql_default_setup "$1"
 fi
@@ -6,7 +6,7 @@
 #
 # Rulesets managed:
 #   pr-quality    — pull request review requirements and merge policy
-#   code-quality  — required status checks (CI, SonarCloud, CodeQL, Claude Code)
+#   code-quality  — required status checks (CI, SonarCloud, CodeQL default setup, Claude Code)
 #
 # Usage:
 #   # Apply to a specific repo:
@@ -78,17 +78,29 @@ detect_required_checks() {
     fi
   fi
 
-  # --- CodeQL ---
-  if echo "$workflows" | grep -qx "codeql.yml"; then
-    local cq_wf_name
-    cq_wf_name=$(workflow_name "codeql.yml")
-    if [ -n "$cq_wf_name" ]; then
-      # CodeQL uses "Analyze" or "Analyze (<language>)" as job names;
-      # add the generic "Analyze" and language-specific variants below
-      checks+=("$cq_wf_name / Analyze")
+  # --- CodeQL (GitHub-managed default setup) ---
+  # CodeQL is no longer driven by a per-repo workflow file. We probe the
+  # default-setup API: if the state is "configured", GitHub publishes results
+  # under the required-status-check context name `CodeQL` (single context,
+  # regardless of how many languages are detected). See
+  # standards/ci-standards.md#2-codeql-analysis-github-managed-default-setup.
+  #
+  # Note: a stray .github/workflows/codeql.yml is drift and will be flagged
+  # by compliance-audit.sh#check_codeql_default_setup. We do NOT fall back
+  # to a workflow-derived check name here, because doing so would let drift
+  # silently satisfy the rule and bypass remediation.
+  local codeql_state codeql_err
+  if codeql_err=$(gh api "repos/$ORG/$repo/code-scanning/default-setup" --jq '.state' 2>&1); then
+    codeql_state="$codeql_err"  # on success, stdout holds the state value
+    if [ "$codeql_state" = "configured" ]; then
+      checks+=("CodeQL")
     else
-      checks+=("Analyze")
+      info "  CodeQL default setup not configured for $repo (state: $codeql_state) — skipping CodeQL required check. Run apply-repo-settings.sh first."
     fi
+  else
+    err "  Failed to probe CodeQL default-setup state for $repo. API error: $codeql_err"
+    err "  Check that GH_TOKEN has code-scanning scope and the repo exists."
+    return 1
   fi
 
   # --- Tier 1 centralized workflows ---

@@ -33,7 +33,12 @@ FINDINGS_FILE="$REPORT_DIR/findings.json"
 SUMMARY_FILE="$REPORT_DIR/summary.md"
 ISSUES_FILE="$REPORT_DIR/issues.json"
 
-REQUIRED_WORKFLOWS=(ci.yml codeql.yml sonarcloud.yml claude.yml dependabot-automerge.yml dependency-audit.yml agent-shield.yml)
+REQUIRED_WORKFLOWS=(ci.yml sonarcloud.yml claude.yml dependabot-automerge.yml dependency-audit.yml agent-shield.yml)
+# Note: codeql.yml is intentionally NOT in REQUIRED_WORKFLOWS. CodeQL is now
+# configured via GitHub-managed default setup (Settings → Code security →
+# Code scanning), not a per-repo workflow file. The check_codeql_default_setup
+# function below verifies the API state and treats stray codeql.yml files
+# as drift to be removed. See standards/ci-standards.md#2-codeql-analysis-github-managed-default-setup.
 
 # name:hex-color:description (color without leading #)
 REQUIRED_LABEL_SPECS=(
@@ -406,6 +411,54 @@ check_sonarcloud() {
   fi
 }
 
+# ---------------------------------------------------------------------------
+# Check: CodeQL default setup is configured (and no stray codeql.yml exists)
+#
+# After petry-projects/.github#103, CodeQL is configured via GitHub's
+# managed default setup, not a per-repo workflow file. Two distinct findings:
+#
+#   1. codeql-default-setup-not-configured (error): the repo has not enabled
+#      default setup. Remediate by running:
+#        gh api -X PATCH repos/<org>/<repo>/code-scanning/default-setup \
+#          -F state=configured -F query_suite=default
+#      (or by running scripts/apply-repo-settings.sh against the repo).
+#
+#   2. stray-codeql-workflow (error): the repo still ships a codeql.yml
+#      workflow file. Default setup and an inline workflow are mutually
+#      exclusive at the GitHub level — leaving the file behind double-bills
+#      CI minutes and creates two competing analyses. Remediation: delete
+#      .github/workflows/codeql.yml.
+# ---------------------------------------------------------------------------
+check_codeql_default_setup() {
+  local repo="$1"
+
+  # Query the default-setup state. The endpoint returns 200 with a JSON body
+  # describing the state, OR a 4xx if the repo has no code scanning capability
+  # (e.g. private without GHAS, archived). Treat any non-"configured" state
+  # as a finding so the audit surfaces what needs remediation.
+  local state
+  state=$(gh_api "repos/$ORG/$repo/code-scanning/default-setup" --jq '.state' 2>/dev/null || echo "")
+
+  if [ "$state" != "configured" ]; then
+    local detail
+    if [ -z "$state" ]; then
+      detail="CodeQL default setup query returned no state — either the repo has code scanning disabled or the API call failed. Enable via \`gh api -X PATCH repos/$ORG/$repo/code-scanning/default-setup -F state=configured -F query_suite=default\`."
+    else
+      detail="CodeQL default setup is in state \`$state\` (expected \`configured\`). Run \`apply-repo-settings.sh $repo\` or \`gh api -X PATCH repos/$ORG/$repo/code-scanning/default-setup -F state=configured -F query_suite=default\`."
+    fi
+    add_finding "$repo" "ci-workflows" "codeql-default-setup-not-configured" "error" \
+      "$detail" \
+      "standards/ci-standards.md#2-codeql-analysis-github-managed-default-setup"
+  fi
+
+  # Stray workflow check: any codeql.yml under .github/workflows is drift.
+  if gh_api "repos/$ORG/$repo/contents/.github/workflows/codeql.yml" --jq '.name' > /dev/null 2>&1; then
+    add_finding "$repo" "ci-workflows" "stray-codeql-workflow" "error" \
+      "Repo still ships \`.github/workflows/codeql.yml\`. The org standard now uses GitHub-managed CodeQL default setup; per-repo workflow files are drift and run a duplicate analysis alongside default setup. Delete the file. If a documented exception applies (custom query pack, build mode, path filters), open a standards PR against \`standards/ci-standards.md\` to record the exception before re-adding the workflow." \
+      "standards/ci-standards.md#2-codeql-analysis-github-managed-default-setup"
+  fi
+}
+
 # ---------------------------------------------------------------------------
 # Check: Workflow permissions follow least-privilege
 # ---------------------------------------------------------------------------
@@ -1150,6 +1203,7 @@ main() {
     check_rulesets "$repo"
     check_codeowners "$repo"
     check_sonarcloud "$repo"
+    check_codeql_default_setup "$repo"
     check_workflow_permissions "$repo"
     check_claude_workflow_checkout "$repo"
     check_centralized_workflow_stubs "$repo"