Conversation
The org now uses GitHub-managed CodeQL default setup. Per-repo workflow files are drift and run duplicate analysis alongside default setup. Closes #93 Co-authored-by: don-petry <don-petry@users.noreply.github.com>
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
💤 Files with no reviewable changes (1)
📝 WalkthroughWalkthroughRemoves the repository's CodeQL GitHub Actions workflow to comply with organizational standards that now use GitHub-managed default setup instead of per-repo workflow configurations. Changes
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~2 minutes Possibly related PRs
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Self-reviewThe change is minimal and precise:
CI is running; no other files were touched. @don-petry — you're the code owner for this repo. Once CI is green, please review and merge to close the compliance finding. |
|
There was a problem hiding this comment.
Pull request overview
Removes the repository-local CodeQL GitHub Actions workflow to avoid duplicating analysis now that the org uses GitHub-managed CodeQL default setup.
Changes:
- Deletes
.github/workflows/codeql.ymlto eliminate the redundant CodeQL workflow.
Comments suppressed due to low confidence (1)
.github/workflows/codeql.yml:1
- Deleting this workflow removes the "Analyze (actions)" check run that it produced. This repo still documents/enforces required status checks via
.github/scripts/apply-code-quality-ruleset.sh, which currently references context "Analyze (actions)" derived from this workflow; if that ruleset (or any branch protection) is active, merges will be blocked once this workflow is gone. Please update the required check context to match the GitHub-managed CodeQL default setup check name (or remove the requirement) as part of this change.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
don-petry
left a comment
don-petry
left a comment
There was a problem hiding this comment.
Automated review — NEEDS HUMAN REVIEW
Risk: MEDIUM
Reviewed commit: bcb84866df760bbffbf544df457f1618aaccdae8
Cascade: triage → deep (see triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6 for models)
Summary
PR deletes the per-repo codeql.yml workflow to comply with org standard (issue #93). All CI checks pass and the change is minimal and well-scoped. However, .github/scripts/apply-code-quality-ruleset.sh lists 'Analyze (actions)' — the check produced exclusively by the deleted workflow — as a required status check in the code-quality branch ruleset; once merged, that check will never run again on future PRs, which could permanently block all subsequent merges if the active ruleset has not already been updated to use the managed-CodeQL check name ('CodeQL').
Findings
Major
.github/scripts/apply-code-quality-ruleset.sh:48— apply-code-quality-ruleset.sh requires the 'Analyze (actions)' status check (line ~48), which is produced only by the codeql.yml workflow being deleted here. After merge, that check will never run again. If the active branch ruleset still requires it, all future PRs will be permanently blocked. The PR should either (a) update the ruleset script to replace 'Analyze (actions)' with 'CodeQL' (the managed-setup check name visible in this PR's own statusCheckRollup) and re-apply the ruleset, or (b) confirm that the canonical org-level ruleset management (petry-projects/.github/scripts/apply-rulesets.sh) has already been updated and the repo ruleset reflects the new check name.
Info
- Copilot review flagged the same ruleset/required-check conflict as a low-confidence comment; the thread was suppressed but the concern is substantiated by reading the ruleset script.
- GitHub-managed CodeQL ('CodeQL' check, conclusion: SUCCESS) and SonarCloud both ran cleanly on this PR. Deleting the per-repo workflow does not create a CodeQL coverage gap — the managed setup already provides equivalent scanning.
.github/workflows/codeql.yml— Change directly satisfies issue #93 (stray-codeql-workflow compliance finding). No exceptions apply: the deleted workflow used default build mode, only scanned the 'actions' language, and had no custom query pack or path filters.
CI status
All CI checks passed on the reviewed commit. The concern is not current CI failure but a post-merge ruleset conflict that would affect future PRs.
Reviewed by the don-petry PR-review cascade (triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6). Reply with @don-petry if you need a human.
Review — fix requested (cycle 1/3)The automated review identified the following issues. Please address each one: Findings to fix
Additional tasks
The review cascade will automatically re-review after new commits are pushed. |
|
Auto-rebase failed — merge conflict — this branch has conflicts with Please resolve the conflicts and push: |
Summary
.github/workflows/codeql.yml(36 lines)Closes #93
Generated with Claude Code
Summary by CodeRabbit