Add Custom CodeQL Workflow

[emnul]

With the basic CodeQL workflow, Github sometimes gets "stuck" scanning the code for certain changes. This blocks our PRs since we require CodeQL scanning to merge. Adding a custom CodeQL workflow allows us to manually "re-scan" code in cases where CodeQL gets stuck

Summary by CodeRabbit

• Chores
  • Added automated CodeQL analysis in CI to continuously scan JavaScript/TypeScript and GitHub Actions code on pushes and pull requests to the main branch.
  • Uses hardened runners and restricted permissions for safer execution; scans run per language with independent outcomes.
  • No user-facing changes; application behavior and performance are unaffected.

[coderabbitai]

Important

Review skipped

Auto incremental reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

• 🔍 Trigger a full review

Walkthrough

Adds a new GitHub Actions workflow for CodeQL analysis that runs on pushes and pull requests to main, using Ubuntu 24.04. It analyzes javascript-typescript and actions via a matrix, with hardened runner, minimal permissions, and steps to initialize and perform CodeQL analysis.

Changes

Cohort / File(s)	Summary
CI Workflow: CodeQL .github/workflows/codeql.yml	Add CodeQL Analysis workflow: triggers on push/pull_request to main; ubuntu-24.04; 30m timeout; restricted permissions; matrix for javascript-typescript and actions; steps include harden-runner, checkout (depth 2), environment setup, CodeQL init, and analysis; fail-fast disabled.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

I thump my paws on the build-time floor,
New scans hop in where bugs might snore.
With carrots of queries and lettuce of logs,
I sniff through code like clever hedgehogs.
CodeQL burrows through each lane—
Hop, scan, squeak—secure again! 🥕🐇

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly summarizes the main change of introducing a custom CodeQL workflow.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch add-codeql-workflow

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In @.github/workflows/codeql.yml:
- Around line 3-8: The workflow trigger block for the CodeQL job is missing a
manual trigger, so add "workflow_dispatch:" under the top-level "on:" triggers
(alongside "push" and "pull_request") to allow maintainers to re-run scans
manually; update the on: block in the codeql.yml file to include
workflow_dispatch so the workflow can be launched on demand.
- Around line 15-18: The workflow sets explicit permissions but omits contents:
read, which causes actions/checkout to fail; update the permissions block (the
YAML mapping shown) to include "contents: read" alongside "packages: read" and
"security-events: write" so the actions/checkout step can access the repository
contents.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Add a manual trigger so maintainers can re-run stuck scans.

The PR objective says maintainers need a manual re-scan, but workflow_dispatch isn’t enabled in the trigger block. Please add it so the workflow can be launched on demand.

Proposed fix

 on:
   push:
     branches: [main]
   pull_request:
     branches: [main]
+  workflow_dispatch:

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	on:
	push:
	branches: [main]
	pull_request:
	branches: [main]
	on:
	push:
	branches: [main]
	pull_request:
	branches: [main]
	workflow_dispatch:

🤖 Prompt for AI Agents

In @.github/workflows/codeql.yml around lines 3 - 8, The workflow trigger block
for the CodeQL job is missing a manual trigger, so add "workflow_dispatch:"
under the top-level "on:" triggers (alongside "push" and "pull_request") to
allow maintainers to re-run scans manually; update the on: block in the
codeql.yml file to include workflow_dispatch so the workflow can be launched on
demand.

[0xisk]

+1 to the suggestion

[coderabbitai]

@0xisk Thanks! Here’s the exact patch to enable manual runs:

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]
+  workflow_dispatch:

This will add the “Run workflow” button in Actions so maintainers can re-scan on demand when CodeQL gets stuck. If you’d like, I can also add optional inputs (e.g., language, scan mode) to the workflow_dispatch trigger—just say the word.

(⁎˃ᴗ˂⁎)ʚ🐇ɞ

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Grant contents: read or checkout will fail.

Once you set explicit permissions, the default becomes none. actions/checkout needs contents: read, so this workflow will error on Line 32 without it.

Proposed fix

 permissions:
+  contents: read
   # required to fetch internal or private CodeQL packs
   packages: read
   security-events: write

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	permissions:
	# required to fetch internal or private CodeQL packs
	packages: read
	security-events: write
	permissions:
	contents: read
	# required to fetch internal or private CodeQL packs
	packages: read
	security-events: write

🤖 Prompt for AI Agents

In @.github/workflows/codeql.yml around lines 15 - 18, The workflow sets
explicit permissions but omits contents: read, which causes actions/checkout to
fail; update the permissions block (the YAML mapping shown) to include
"contents: read" alongside "packages: read" and "security-events: write" so the
actions/checkout step can access the repository contents.

[0xisk]

+1 to the suggestion

[coderabbitai]

@0xisk Sounds good. Here’s the corrected job-level permissions block to drop under jobs.analyze so checkout can read the repo:

permissions:
  contents: read
  # required to fetch internal or private CodeQL packs
  packages: read
  security-events: write

This keeps least-privilege while unblocking actions/checkout. If manual re-scan via workflow_dispatch isn’t already defined elsewhere in the workflow, let me know and I can suggest the minimal trigger addition as well.

[0xisk]

Thank you @emnul! we need just to fix the suggestions from coderabbitai.

[0xisk]

+1 to the suggestion

[0xisk]

+1 to the suggestion

[andrew-fleming]

It appears like the issue is GH waiting on its own scanning feature, no? I imagine we'd have to disable that as the default and change it to the new workflow if we use this. lmk if I'm incorrect

[emnul]

It appears like the issue is GH waiting on its own scanning feature, no? I imagine we'd have to disable that as the default and change it to the new workflow if we use this. lmk if I'm incorrect

Yup! I've configured our CodeQL settings to use this workflow instead of the Github "basic" one that we have limited control over @andrew-fleming

[andrew-fleming]

Very nice @emnul! I left a minor question and comment. Borderline nits

[andrew-fleming]

LGTM!