chore(security): remove drift codeql.yml, enable GitHub-managed default setup

[don-petry]

Summary

• Removes .github/workflows/codeql.yml — classified as drift by the org compliance audit (see CI standard §2)
• Re-confirmed GitHub-managed CodeQL default setup via API (state=configured, query_suite=default)

Why

Per org CI standard §2, CodeQL must be configured via GitHub-managed default setup, not a per-repo workflow file. The compliance audit flags any repo with a codeql.yml as drift. The per-repo workflow is also redundant since default setup is already running scans.

Note on audit 403

The weekly compliance audit returns HTTP 403 when checking the default setup state. This is a PAT scope issue on the audit bot side (needs Administration: write / repo scope). The CodeQL default setup is actually configured (verified with a properly-scoped token). Fixing the audit bot's PAT scope requires a change in petry-projects/.github.

Related PRs

This supersedes the same fix in PRs #113 and #107 (both have green CI but were never merged).

Closes #95

Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Removed automated code analysis workflow from the CI/CD pipeline.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 5471ab61-bfc5-4587-8d90-f683f4b32c74

📥 Commits

Reviewing files that changed from the base of the PR and between 256f909 and b5850f8.

📒 Files selected for processing (1)

• .github/workflows/codeql.yml

💤 Files with no reviewable changes (1)

• .github/workflows/codeql.yml

---

📝 Walkthrough

Walkthrough

The pull request removes the custom GitHub Actions CodeQL workflow file (.github/workflows/codeql.yml), aligning the repository with GitHub's managed default CodeQL setup as required by compliance standards. No replacement configuration or additional changes are included.

Changes

Cohort / File(s)	Summary
CodeQL Workflow Deletion .github/workflows/codeql.yml	Removed custom CodeQL analysis workflow that previously executed on pushes/pull requests to main and weekly schedule. Workflow included repository checkout, CodeQL initialization for JavaScript/TypeScript and actions, and analysis steps.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

• fix: address OpenSSF Scorecard findings #22: Updates CodeQL workflow configuration in .github/workflows/codeql-analysis.yml, indicating parallel work on CodeQL workflow management and potential coordination with this removal.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: removing the drift codeql.yml file and aligning with GitHub-managed default setup as required by org standards.
Linked Issues check	✅ Passed	The PR directly addresses issue #95 by removing the non-compliant per-repo codeql.yml file, which aligns with org CI standard §2 requiring GitHub-managed default setup instead.
Out of Scope Changes check	✅ Passed	The PR contains only the necessary change (removal of codeql.yml) scoped to resolving the compliance finding; no extraneous modifications are present.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch claude/issue-95-20260420-1032

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[don-petry]

@don-petry This PR is ready for review and merge.

What it does: Removes the drift codeql.yml per org CI standard §2, which requires GitHub-managed CodeQL default setup (not per-repo workflow files). The default setup has been re-confirmed as configured.

Context on the recurring compliance finding:

• The compliance audit returns HTTP 403 when checking the default setup state — this is a PAT scope issue on the audit bot side (needs Administration: write scope). This is the same root cause identified in PRs chore(security): remove drift codeql.yml, enable GitHub-managed default setup #107 and chore(security): remove drift codeql.yml, enable GitHub-managed default setup #113.
• The actual fix (removing the drift codeql.yml) is in this PR.
• To fully resolve the 403 in the audit, the audit bot's token in petry-projects/.github will also need Administration: write scope.

Note: This supersedes open PRs #107 and #113 (same fix, green CI, but unmerged). You may want to close those once this is merged.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[Copilot]

Pull request overview

Removes the repository-level CodeQL workflow to align with the org CI standard requiring GitHub-managed CodeQL default setup (and to eliminate compliance “drift” findings).

Changes:

• Deleted .github/workflows/codeql.yml (per-repo CodeQL advanced setup workflow)

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.