ci: remove drift codeql.yml and enable GitHub-managed default setup

[don-petry]

Summary

• Enabled GitHub-managed CodeQL default setup via API (state=configured, query_suite=default)
• Removed the per-repo .github/workflows/codeql.yml workflow file, which ci-standards §2 classifies as drift

Why

Per ci-standards §2, CodeQL must use GitHub-managed default setup, not an inline workflow file:

per-repo codeql.yml files are treated as drift by the compliance audit. The two configurations are mutually exclusive — leaving the workflow file behind after flipping default setup on causes both to run and double-bills CI minutes.

The API PATCH was applied successfully — GitHub confirmed state=configured with a new run ID. The codeql.yml file is now removed to eliminate the drift finding and prevent double-scanning.

Note on compliance audit 403 errors

The weekly compliance audit has been returning 403 when attempting to read the CodeQL default setup state via GET /repos/.../code-scanning/default-setup. This is a token-scope issue in the audit runner (requires security_events or Administration: write to read code-scanning settings), not a repo configuration problem. The GitHub-managed setup itself is configured — a direct API call confirms {"state":"configured"}. Once the audit token is updated with the correct scope, the finding should auto-close.

Closes #168

Generated with Claude Code

[coderabbitai]

Warning

Rate limit exceeded

@github-actions[bot] has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 46 minutes and 1 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 46 minutes and 1 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: dba7224b-db98-4aca-a924-6df37e9484d8

📥 Commits

Reviewing files that changed from the base of the PR and between 32e618b and 152d928.

📒 Files selected for processing (1)

• .github/workflows/codeql.yml

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch claude/issue-168-20260418-1849

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[don-petry]

@don-petry — PR is ready for review. This removes the drift codeql.yml and confirms GitHub-managed CodeQL default setup is enabled (state=configured). Please review and merge when ready.

[Copilot]

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Removes the repository-scoped CodeQL workflow so the repo relies solely on GitHub-managed CodeQL default setup (to avoid “drift” and double-scanning).

Changes:

• Deleted .github/workflows/codeql.yml to eliminate per-repo CodeQL workflow configuration.
• Leaves CodeQL configuration to GitHub-managed default setup (configured out-of-band via API, per PR description).

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud