Skip to content

ci: remove drift codeql.yml and enable GitHub-managed default setup#187

Closed
don-petry wants to merge 3 commits into
mainfrom
claude/issue-168-20260414-1135
Closed

ci: remove drift codeql.yml and enable GitHub-managed default setup#187
don-petry wants to merge 3 commits into
mainfrom
claude/issue-168-20260414-1135

Conversation

@don-petry

Copy link
Copy Markdown
Collaborator

Summary

  • Enabled GitHub-managed CodeQL default setup via the API (state=configured, query_suite=default)
  • Removed the per-repo .github/workflows/codeql.yml workflow file, which the CI standards (§2) classify as drift now that default setup is active
  • The two configurations are mutually exclusive — leaving the workflow file behind causes double billing of CI minutes

Why

Per ci-standards §2, CodeQL must use GitHub-managed default setup, not an inline workflow file. The weekly compliance audit was flagging this repo with codeql-default-setup-not-configured because default setup had never been explicitly enabled, and the per-repo codeql.yml is treated as drift.

Closes #168

Generated with Claude Code

Per ci-standards §2, CodeQL should use GitHub-managed default setup
rather than a per-repo workflow file. The inline codeql.yml is now
drift — default setup has been enabled via the API (state=configured,
query_suite=default).

Closes #168

Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Copilot AI review requested due to automatic review settings April 14, 2026 11:37
@coderabbitai

coderabbitai Bot commented Apr 14, 2026

Copy link
Copy Markdown

Warning

Rate limit exceeded

@github-actions[bot] has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 55 minutes and 43 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 55 minutes and 43 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 8a227e7c-3330-4d92-9f0a-a90c99b624d1

📥 Commits

Reviewing files that changed from the base of the PR and between 56ee75a and 6a56435.

📒 Files selected for processing (1)
  • .github/workflows/codeql.yml
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch claude/issue-168-20260414-1135

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@don-petry

Copy link
Copy Markdown
Collaborator Author

Hey @don-petry — this PR is ready for your review. It enables GitHub-managed CodeQL default setup (as required by ci-standards §2) and removes the drift codeql.yml workflow file.

@sonarqubecloud

Copy link
Copy Markdown

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR migrates CodeQL scanning from a repository-managed workflow to GitHub-managed CodeQL default setup to align with the org CI standards and avoid duplicated runs.

Changes:

  • Removed the per-repo CodeQL workflow (.github/workflows/codeql.yml) so CodeQL runs only via GitHub-managed default setup.
  • Relies on enabling CodeQL default setup via repository settings/API (state=configured, query_suite=default) as described in the PR.

@don-petry

Copy link
Copy Markdown
Collaborator Author

Automated review — APPROVED

Risk: LOW
Reviewed commit: e42e6bc2a25c4cbd8bed4824fbe7267892d327ae
Cascade: triage → deep (see triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6 for models)

Summary

This PR deletes a per-repo CodeQL workflow file that has become redundant drift now that GitHub-managed default setup is active. All CI checks pass (CodeQL, SonarCloud, build, tests), GitHub-managed CodeQL is confirmed running via the separate status check, and language coverage is unchanged. The triage escalation was caused by a triage-tier crash, not a genuine security signal.

Findings

Info

  • .github/workflows/codeql.yml — GitHub-managed CodeQL default setup is confirmed active (status check CodeQL with workflowName='' passed). The deleted workflow covered javascript-typescript and actions; default setup also adds python. No coverage regression.
  • .github/workflows/codeql.yml — The deleted workflow used good hygiene: pinned action SHAs, permissions: {} at workflow level, scoped security-events: write at job level. GitHub-managed setup is maintained by GitHub and should be equivalently secure.
  • (general) — Triage escalated with signal triage-output-invalid — the triage tier crashed rather than detecting a real issue. Deep review finds no security concerns.

CI status

All CI checks pass (CodeQL, SonarCloud, build, tests).


Reviewed by the don-petry PR-review cascade (triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6). Reply with @don-petry if you need a human.

@don-petry don-petry enabled auto-merge (squash) April 16, 2026 20:45

@petry-projects-pr-review-agent petry-projects-pr-review-agent Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed by the don-petry PR-review cascade (triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6). Reply with @don-petry if you need a human.

@petry-projects-pr-review-agent petry-projects-pr-review-agent Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed by the don-petry PR-review cascade (triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6). Reply with @don-petry if you need a human.

@don-petry

Copy link
Copy Markdown
Collaborator Author

Closing as duplicate of #216 — same fix for issue #187. The newest attempt is kept open.

@don-petry don-petry closed this May 3, 2026
auto-merge was automatically disabled May 3, 2026 15:00

Pull request was closed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Compliance: codeql-default-setup-not-configured

2 participants