ci: remove drift codeql.yml — GitHub-managed default setup is configured

[don-petry]

Summary

• Deletes .github/workflows/codeql.yml which is drift per org standard §2
• GitHub-managed CodeQL default setup is already in state configured (languages: ["actions"], query_suite: default)
• Per ci-standards.md §2, having both a per-repo codeql.yml and default setup active simultaneously causes double CI billing and is explicitly disallowed

Why the compliance audit still shows 403

The compliance audit's PAT lacks security_events: read permission (fine-grained) or repo scope (classic), causing it to get HTTP 403 when calling /code-scanning/default-setup. This is an org-level infra issue with the audit's token — the setup itself is configured. Removing the drift file is the repo-side fix; the token permission fix needs to happen in the .github org repo's secrets.

Test plan

• Verified GitHub-managed default setup state via gh api repos/petry-projects/markets/code-scanning/default-setup → state: configured
• codeql.yml deleted; no more double-scan billing
• Compliance audit will close the finding once the audit token permissions are corrected at org level

Closes #92

Generated with Claude Code

[coderabbitai]

Warning

Rate limit exceeded

@don-petry has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 57 minutes and 58 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 57 minutes and 58 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: bfca8871-bf74-4779-aa5c-2ff0b92e1605

📥 Commits

Reviewing files that changed from the base of the PR and between f9d9937 and 0c72d7d.

📒 Files selected for processing (1)

• .github/workflows/codeql.yml

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch claude/issue-92-20260418-1841

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[don-petry]

@don-petry — PR is ready for review and merge. This removes the drift codeql.yml workflow file; GitHub-managed CodeQL default setup is already configured. The compliance audit 403 errors are a token-permissions issue in the audit infra (the audit's PAT needs security_events: read or repo scope) — that's the remaining blocker for the weekly check to stop firing.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[Copilot]

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Removes the repository-level CodeQL workflow to eliminate drift from org CI standards and avoid double-running CodeQL when GitHub-managed default setup is already configured.

Changes:

• Deleted .github/workflows/codeql.yml to rely exclusively on GitHub-managed CodeQL default setup.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[github-actions]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved manually.

Please resolve the conflicts and push:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Automated review — NEEDS HUMAN REVIEW

Risk: MEDIUM
Reviewed commit: 0c72d7d08ffd0049596a8e823251e629a622a384
Cascade: triage → audit (see triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6 for models)

Summary

The change itself is org-standard-compliant — GitHub-managed CodeQL default setup is verified configured (state: configured, languages: [actions], query_suite: default) and ci-standards.md §2 explicitly requires deleting per-repo codeql.yml as drift. However, this PR cannot be merged: it has a merge conflict, lacks human approval, and is incomplete because it does not update apply-code-quality-ruleset.sh (which still hardcodes 'Analyze (actions)' as a required check — running that script post-merge would block all future PRs). PR #126 supersedes this with a more complete fix addressing both issues atomically.

Findings

Major

• [major] merge-state — Branch has merge conflict (mergeable: CONFLICTING, mergeStateStatus: DIRTY). Auto-rebase failed 2026-04-21. Hard blocker — PR cannot be merged as-is.
• [major] .github/scripts/apply-code-quality-ruleset.sh:55 — Script still hardcodes 'Analyze (actions)' as a required status check. After this PR merges, that check name will no longer be produced — only 'CodeQL' from managed default setup. If anyone runs the script, it will regress the live ruleset and block all future PRs from merging. PR #126 fixes both files atomically.

Minor

• [minor] review-process — No human approvals (reviewDecision: REVIEW_REQUIRED). CODEOWNERS requires @don-petry but @don-petry is the PR author — self-review pattern on a security-scanning change. Only automated reviewers commented (Copilot COMMENTED, CodeRabbit rate-limited).
• [minor] superseded — PR #126 (branch claude/issue-92-20260419-1733) supersedes this PR with a more complete fix: it deletes codeql.yml AND updates apply-code-quality-ruleset.sh to require 'CodeQL' instead of 'Analyze (actions)'. This PR should be closed in favor of #126 (though #126 also has merge conflicts that need resolution).

Info

• [info] .github/workflows/codeql.yml — Deleted workflow used SHA-pinned action references. GitHub-managed default setup does not expose SHA pinning. The org standard (ci-standards.md §2) explicitly accepts this tradeoff.
• [info] security-posture-verified — GitHub-managed CodeQL default setup independently verified as configured via API: state=configured, languages=[actions], query_suite=default, updated_at=2026-04-09. The compliance audit 403 is a token-permissions issue (PAT lacks security_events:read), not a state issue. All CI checks passed including both CodeQL scans.

CI status

All CI checks passed at the reviewed commit.

---

Reviewed by the don-petry PR-review cascade (triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6). Reply with @don-petry if you need a human.

[don-petry]

Review — fix requested (cycle 1/3)

The automated review identified the following issues. Please address each one:

Findings to fix

• [major] merge-state — Branch has merge conflict (mergeable: CONFLICTING, mergeStateStatus: DIRTY). Auto-rebase failed 2026-04-21. Hard blocker — PR cannot be merged as-is. Resolve the conflict before pushing new commits.
• [major] .github/scripts/apply-code-quality-ruleset.sh:55 — Script still hardcodes 'Analyze (actions)' as a required status check. Update line 55 to require 'CodeQL' instead (the check name produced by GitHub-managed default setup). Alternatively, consider closing this PR in favor of PR ci: remove drift codeql.yml and sync ruleset script to CodeQL check name #126 which already fixes both issues atomically.
• [minor] review-process — No human approvals present. @don-petry is the PR author and cannot self-approve. Obtain a review from another CODEOWNERS member.
• [minor] superseded — PR ci: remove drift codeql.yml and sync ruleset script to CodeQL check name #126 (branch claude/issue-92-20260419-1733) addresses both issues in this PR more completely. Consider closing this PR and resolving the merge conflicts in ci: remove drift codeql.yml and sync ruleset script to CodeQL check name #126 instead.

Additional tasks

1. Resolve all unresolved review thread comments from other reviewers
2. Ensure all CI checks pass after your changes
3. Rebase on main if the branch is behind
4. Do NOT modify files unrelated to the findings above

The review cascade will automatically re-review after new commits are pushed.