ci: remove drift codeql.yml and enable GitHub-managed default setup

[don-petry]

Summary

• Enabled GitHub-managed CodeQL default setup via API (state=configured, query_suite=default)
• Deleted .github/workflows/codeql.yml — per org standard ci-standards.md §2, per-repo CodeQL workflow files are drift; the two configurations are mutually exclusive and leaving the file causes double-billing of CI minutes

Why

The compliance audit (codeql-default-setup-not-configured) flags repos whose GitHub-managed default setup is not in configured state. The org standard explicitly requires GitHub-managed default setup and treats per-repo codeql.yml files as drift to be removed.

Closes #92

---

Generated with Claude Code

[coderabbitai]

Warning

Rate limit exceeded

@don-petry has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 13 minutes and 16 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 13 minutes and 16 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 695baffa-8d56-4327-a94e-f8547e4c918a

📥 Commits

Reviewing files that changed from the base of the PR and between 4235652 and 02d8b9e.

📒 Files selected for processing (1)

• .github/workflows/codeql.yml

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch claude/issue-92-20260414-1257

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[don-petry]

@don-petry CI is green — please review and merge when ready.

[Copilot]

Pull request overview

Removes the repository-local CodeQL GitHub Actions workflow to avoid drift and rely on GitHub-managed CodeQL “default setup” configuration, aligning the repo with the org compliance standard referenced in #92.

Changes:

• Deleted .github/workflows/codeql.yml to prevent dual CodeQL configurations and duplicate CI usage.

Comments suppressed due to low confidence (1)

.github/workflows/codeql.yml:1

• Deleting this workflow removes the Analyze (actions) check run that the repo’s code-quality required-status-checks ruleset is currently configured to require (see .github/scripts/apply-code-quality-ruleset.sh, which derives that context name from this workflow). If that ruleset/branch protection is active, merges to the default branch will become blocked because the required check will never appear.

Please update the required check context(s) to match whatever check name GitHub-managed CodeQL default setup produces (or remove CodeQL from required checks if policy allows) before merging this change.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[don-petry]

Automated review — NEEDS HUMAN REVIEW

Risk: HIGH
Reviewed commit: 02d8b9ebb41e58f6346cb98ac98e95f26a0d9c34
Cascade: triage → audit (see triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6 for models)

Summary

Confirmed live against the GitHub API: ruleset 14805963 (code-quality) currently requires the status check 'Analyze (actions)', which is produced exclusively by the codeql.yml workflow this PR deletes. The GitHub-managed default setup produces a differently named check ('CodeQL', no workflowName). Merging as-is will orphan a required status check — future PRs will be blocked indefinitely waiting for a check that no workflow produces. The PR must update the code-quality ruleset (and/or apply-code-quality-ruleset.sh) to reference the new check name in the same change. Agreeing with deep review: HIGH risk, escalate.

Findings

Critical

• [critical] .github/workflows/codeql.yml — Verified via gh api repos/petry-projects/markets/rulesets/14805963: the active code-quality ruleset requires status checks SonarCloud and Analyze (actions) with strict_required_status_checks_policy=true. The check Analyze (actions) is produced only by .github/workflows/codeql.yml, which this PR deletes. After merge, that check run will no longer be created on PRs against main, so every subsequent PR will be permanently blocked by the required check. Must update the ruleset (replace Analyze (actions) with the managed-setup name CodeQL) atomically with this deletion, or update .github/scripts/apply-code-quality-ruleset.sh and re-apply, before or as part of merging.

Major

• [major] .github/workflows/codeql.yml — A CI security-scanner workflow is being removed. The statusCheckRollup on this PR confirms the GitHub-managed CodeQL check is currently firing alongside Analyze (actions) and is SUCCESS, so scanning coverage is not lost as long as the managed setup remains enabled. However, the managed setup was enabled out-of-band via API and is not recorded in any tracked file, so there is no guardrail against silent reversion.
• [major] (repo-wide) — The PR/commit body claims state=configured, query_suite=default was applied via API, but no infrastructure-as-code artifact in this diff reflects that API call. If the managed setup is later disabled or downgraded (e.g., by another admin, a token rotation, or an accidental API call), no CI will detect the regression — the deleted workflow was the only tripwire. Recommend recording the default-setup state in a tracked config (e.g., apply-repo-settings.sh) or a compliance-audit test before merging.

Minor

• [minor] .github/scripts/apply-code-quality-ruleset.sh — Still hard-codes {context: "Analyze (actions)"}. Even if the live rulelet is updated manually, the next re-apply of this script would re-introduce the stale required-check name. Update the script in the same PR (or a follow-up that lands before this merges) to reference CodeQL.

Info

• [info] .github/workflows/codeql.yml:27 — The deleted workflow used SHA-pinned actions (actions/checkout@de0fac… and github/codeql-action@5c8a8a…). The GitHub-managed default setup hides action references entirely — this is consistent with org standard ci-standards.md §2 and is an acceptable trade-off, noted for transparency.
• [info] (scope) — No application code, dependencies, secrets handling, authN/authZ, input validation, crypto, or data-exposure surfaces are touched. Scope is purely CI configuration. SonarCloud Quality Gate passed with 0 new issues. AgentShield passed. Author is MEMBER (don-petry) working on a bot-generated branch (claude/issue-92-…) tied to compliance issue #92.

CI status

mergeStateStatus: BLOCKED — the PR is currently blocked from merging.

---

Reviewed by the don-petry PR-review cascade (triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6). Reply with @don-petry if you need a human.

[github-actions]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved manually.

Please resolve the conflicts and push:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push