fix: add codeql.yml for CodeQL SAST compliance

[don-petry]

Summary

• Adds the required codeql.yml workflow to resolve compliance finding missing-codeql.yml (issue Compliance: missing-codeql.yml #39)
• Language configured as actions per the CI standard: repos containing .github/workflows/*.yml must add the actions language
• Job name Analyze (actions) matches the required Analyze (<lang>) pattern for branch protection status checks
• Permissions follow least-privilege policy: {} top-level, per-job actions: read, contents: read, security-events: write
• Triggers: push/PR to main + weekly Friday scan (12:00 PM EST / 17:00 UTC)
• actions/checkout pinned to SHA (de0fac2e... v6.0.2) matching existing workflows; Dependabot will pin codeql-action@v4 SHAs on its next weekly run

Closes #39

Generated with Claude Code

[coderabbitai]

Warning

Rate limit exceeded

@don-petry has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 7 minutes and 40 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 7 minutes and 40 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 7b7debce-f5c5-4475-af64-8ec62a3c9c07

📥 Commits

Reviewing files that changed from the base of the PR and between ecca69f and 865a987.

📒 Files selected for processing (1)

• .github/workflows/codeql.yml

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch claude/issue-39-20260407-1731

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[Copilot]

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Adds a GitHub Actions workflow to run CodeQL SAST scans for compliance (issue #39), targeting the repository’s GitHub Actions workflows as the analyzed “language”.

Changes:

• Introduces .github/workflows/codeql.yml with push/PR triggers on main plus a weekly scheduled scan.
• Configures CodeQL to analyze actions and uses least-privilege workflow/job permissions.
• Aligns the job name and category with expected branch-protection/status-check patterns.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The CodeQL actions are referenced by a moving tag (@v4). If your repo/org policy is aiming for supply-chain hardening (similar to the pinned actions/checkout), pin github/codeql-action/* to immutable commit SHAs as well (and keep them updated via Dependabot). This reduces the risk of a compromised upstream tag affecting your workflow.

Suggested change

	uses: github/codeql-action/init@v4
	with:
	languages: actions
	- name: Perform CodeQL Analysis
	uses: github/codeql-action/analyze@v4
	uses: github/codeql-action/init@3c5c3a4a0f3f64e64d5d4e9f7e3f2db279b9da86 # v4
	with:
	languages: actions
	- name: Perform CodeQL Analysis
	uses: github/codeql-action/analyze@3c5c3a4a0f3f64e64d5d4e9f7e3f2db279b9da86 # v4

[Copilot]

The CodeQL actions are referenced by a moving tag (@v4). If your repo/org policy is aiming for supply-chain hardening (similar to the pinned actions/checkout), pin github/codeql-action/* to immutable commit SHAs as well (and keep them updated via Dependabot). This reduces the risk of a compromised upstream tag affecting your workflow.

Suggested change

	uses: github/codeql-action/init@v4
	with:
	languages: actions
	- name: Perform CodeQL Analysis
	uses: github/codeql-action/analyze@v4
	uses: github/codeql-action/init@3fcb8f7314c2e7c6b6bc3b5b7f9a1f4e6d2c9a55 # v4
	with:
	languages: actions
	- name: Perform CodeQL Analysis
	uses: github/codeql-action/analyze@3fcb8f7314c2e7c6b6bc3b5b7f9a1f4e6d2c9a55 # v4

[Copilot]

The inline comment mixes a fixed UTC cron with a fixed 'EST' local time; this becomes inaccurate during daylight saving time (ET shifts between UTC-4/UTC-5). Prefer describing this as '12:00 PM ET' with a DST note, or remove the local-time conversion and keep the comment purely in UTC to avoid future confusion.

Suggested change

	- cron: '0 17 * * 5' # Weekly scan (Friday 12:00 PM EST / 17:00 UTC)
	- cron: '0 17 * * 5' # Weekly scan (Friday 12:00 PM ET during standard time / 1:00 PM ET during daylight saving time; 17:00 UTC)

[Copilot]

ubuntu-latest can change underlying OS versions, which can cause unexpected workflow differences over time. If stability/reproducibility is required for compliance workflows, consider pinning to a specific runner image (e.g., ubuntu-24.04 or ubuntu-22.04) consistent with your CI standards.

Suggested change

	runs-on: ubuntu-latest
	runs-on: ubuntu-24.04

[don-petry]

@don-petry — PR is ready for review. The codeql.yml workflow is created and all CI checks pass except CodeQL Analysis, which fails because GitHub's Default Setup for Code Scanning is still enabled on this repository.

To unblock: go to Settings → Security → Code scanning → CodeQL analysis → Switch to advanced (disable the default setup). Once that's done the check will go green and the PR can be merged.

Closes #39

[don-petry]

Closing as stale — predates the standards PR.

This PR was generated by Claude during the original bulk-toggle yesterday, before petry-projects/.github#86 landed. That standards PR added prompt rules that:

• Require copying from petry-projects/.github/standards/workflows/ verbatim instead of writing workflow files from scratch
• Require verifying SHAs via gh api instead of guessing
• Require the CodeQL actions ecosystem in the matrix where applicable
• Allow gh api and gh label create for admin operations

Re-toggling the underlying issue will let Claude regenerate this fix using the new rules. The next run should produce a workflow that is byte-identical to the standard template (verified with the canary on TalkTerm#51 → PR #78 yesterday).