chore(security): remove drift codeql.yml, enable GitHub-managed default setup#113
chore(security): remove drift codeql.yml, enable GitHub-managed default setup#113
Conversation
…ult setup Per org CI standards §2, CodeQL must be configured through GitHub-managed default setup (Settings → Code security), not via a per-repo workflow file. Per-repo codeql.yml files are explicitly classified as drift by the compliance audit. Default setup is already configured (state=configured, query_suite=default) and was re-confirmed via API before this commit. Closes #95 Co-authored-by: don-petry <don-petry@users.noreply.github.com>
|
Warning Rate limit exceeded
Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 51 minutes and 55 seconds. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
@don-petry — this PR removes the drift |
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Removes the repository’s custom CodeQL GitHub Actions workflow to align with org CI standards that require GitHub-managed CodeQL default setup.
Changes:
- Deleted
.github/workflows/codeql.yml(previous advanced CodeQL workflow) to eliminate compliance “drift”.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
Summary
state=configured,query_suite=default)codeql.ymlworkflow file, which is classified as drift by the org CI standardsWhy
Per
ci-standards.md §2, CodeQL must be configured through GitHub's default setup (Settings → Code security), not via a per-repo workflow file. The standard explicitly states: "per-repocodeql.ymlfiles are treated as drift by the compliance audit."The existing
codeql.ymlwas an advanced setup that duplicates what GitHub's managed default setup provides automatically (auto-detected languages, managed analyzer versions).Changes
.github/workflows/codeql.yml(drift per org standard)gh api -X PATCH repos/petry-projects/TalkTerm/code-scanning/default-setup -F state=configured -F query_suite=default(triggered run #24189978053)Note on compliance audit 403
The compliance audit has been consistently reporting a 403 ("Resource not accessible by personal access token") when it tries to read the code-scanning default-setup state. This is an audit-side token permissions issue — the audit bot's PAT lacks the
administration:readscope needed for the code-scanning configuration endpoint. The actual configuration isstate=configured(verifiable with a properly-scoped token). This PR removes the driftcodeql.ymlwhich is the actionable code change; the 403 in the audit will need to be resolved by updating the audit bot's token scopes inpetry-projects/.github.Closes #95
Generated with Claude Code