chore(security): remove drift codeql.yml, enable GitHub-managed default setup

[don-petry]

Summary

• Enabled GitHub-managed CodeQL default setup via API (state=configured, query_suite=default)
• Removed the per-repo codeql.yml workflow file, which is classified as drift by the org CI standards

Why

Per ci-standards.md §2, CodeQL must be configured through GitHub's default setup (Settings → Code security), not via a per-repo workflow file. The standard explicitly states: "per-repo codeql.yml files are treated as drift by the compliance audit."

The existing codeql.yml was an advanced setup that duplicated what GitHub's managed default setup provides automatically, including auto-detected languages and managed analyzer versions.

Changes

• Deleted .github/workflows/codeql.yml (drift per org standard)
• Default setup configured via: gh api -X PATCH repos/petry-projects/TalkTerm/code-scanning/default-setup -F state=configured -F query_suite=default

Closes #95

Generated with Claude Code

[coderabbitai]

Warning

Rate limit exceeded

@github-actions[bot] has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 51 minutes and 44 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 51 minutes and 44 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 939bbb41-e541-477c-b783-25bdc1cc896a

📥 Commits

Reviewing files that changed from the base of the PR and between 051f051 and 1557d23.

📒 Files selected for processing (1)

• .github/workflows/codeql.yml

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch claude/issue-95-20260414-1335

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[don-petry]

@don-petry — this PR is ready for review and merge. It fixes the CodeQL compliance finding by removing the drift codeql.yml workflow file and configuring GitHub-managed default setup (which was enabled via API during this run).

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[Copilot]

Pull request overview

Removes the repository-managed CodeQL workflow to align with org CI standards that require GitHub-managed CodeQL default setup (configured in repo settings rather than via workflow code).

Changes:

• Deleted .github/workflows/codeql.yml (previous advanced CodeQL workflow).
• Relies on GitHub’s Code Scanning default setup being configured (state=configured, query_suite=default) outside the repo.

Comments suppressed due to low confidence (1)

.github/workflows/codeql.yml:1

• Deleting this workflow removes the CodeQL actions language scan (the workflow/pipeline security query pack). GitHub-managed CodeQL default setup typically scans only code languages (e.g., JS/TS) and does not include the GitHub Actions query suite; if Actions scanning is still desired, add a minimal dedicated workflow for language: actions (or confirm the org standard explicitly accepts losing Actions scans).

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[don-petry]

Automated review — APPROVED

Risk: LOW
Reviewed commit: 71bec416293fb30115e4e914ae0fe242721f8151
Cascade: triage → audit (see triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6 for models)

Note: Automated approval was blocked by GitHub branch protection (cannot approve own PR). This comment records the cascade verdict. A human reviewer must click Approve to satisfy the branch protection rule.

Summary

PR deletes a per-repo codeql.yml that the org CI standard §2 explicitly classifies as drift, and the out-of-band default-setup configuration claim is independently verifiable via the GitHub API: state=configured with languages=['actions','python'] and query_suite=default. CodeQL analysis records on refs/heads/main confirm both /language:actions and /language:python categories are actively running, so the 'actions' security scanning the deep review worried about is not lost — and python scanning is a net gain. The deep review's critical coverage-reduction finding was based on a conservative prior about default setup; empirical verification refutes it.

Findings

Info

• [info] (verification) — Independently verified via gh api repos/petry-projects/TalkTerm/code-scanning/default-setup: state=configured, languages=['actions','python'], query_suite=default, updated_at=2026-04-09. The claimed out-of-band side effect is real and persisted.
• [info] (coverage-equivalence) — CodeQL analyses on refs/heads/main at 2026-04-14T20:24 show both /language:actions and /language:python categories executed under default setup. Actions workflow security scanning (expression injection, GITHUB_ENV misuse, dangerous shell patterns) is preserved. Python scanning is newly covered (the deleted advanced workflow did not scan python). Repo language breakdown (HTML 149KB, Python 85KB, Groovy 5KB) indicates the deleted workflow's 'javascript-typescript' language was not providing meaningful JS/TS code coverage.
• [info] (standards-compliance) — petry-projects/.github standards/ci-standards.md §2 states: 'per-repo codeql.yml files are treated as drift by the compliance audit... delete the file and enable default setup. The two configurations are mutually exclusive at the GitHub level — leaving the workflow file behind after flipping default setup on causes both to run and double-bills CI minutes.' This PR implements exactly the prescribed remediation.
• [info] (ci-status) — All status checks SUCCESS (CodeQL python+actions, SonarCloud 0 new issues / 0 hotspots, AgentShield, CodeRabbit). mergeStateStatus=BLOCKED only because reviewDecision=REVIEW_REQUIRED — human approval still needed per branch protection.
• [info] (supply-chain) — PR is a pure deletion (additions=0, deletions=38, changedFiles=1). No new dependencies, actions, secrets, workflow triggers, or permission grants introduced. Authored by claude[bot] + don-petry; commit on head SHA 71bec41 matches PR_HEAD_SHA.

Minor

• [minor] (compliance-audit-token-scope) — Issue Compliance: codeql-default-setup-not-configured #95 shows the compliance audit's token got 403 'Resource not accessible by personal access token' when reading default-setup state. That is an org-tooling PAT-scope issue, not a TalkTerm issue: default setup is verifiably configured. If the audit PAT is not fixed it may re-open Compliance: codeql-default-setup-not-configured #95, but nothing in this PR causes or is expected to fix that.

CI status

All status checks SUCCESS (CodeQL python+actions, SonarCloud 0 new issues / 0 hotspots, AgentShield, CodeRabbit). mergeStateStatus=BLOCKED due to branch protection requiring human reviewer approval (REVIEW_REQUIRED), not due to failing checks.

---

Reviewed by the don-petry PR-review cascade (triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6). Reply with @don-petry if you need a human.