Skip to content

ci: remove drift codeql.yml and enable GitHub-managed default setup#201

Closed
don-petry wants to merge 3 commits into
mainfrom
claude/issue-168-20260418-1849
Closed

ci: remove drift codeql.yml and enable GitHub-managed default setup#201
don-petry wants to merge 3 commits into
mainfrom
claude/issue-168-20260418-1849

Conversation

@don-petry

Copy link
Copy Markdown
Collaborator

Summary

  • Enabled GitHub-managed CodeQL default setup via API (state=configured, query_suite=default)
  • Removed the per-repo .github/workflows/codeql.yml workflow file, which ci-standards §2 classifies as drift

Why

Per ci-standards §2, CodeQL must use GitHub-managed default setup, not an inline workflow file:

per-repo codeql.yml files are treated as drift by the compliance audit. The two configurations are mutually exclusive — leaving the workflow file behind after flipping default setup on causes both to run and double-bills CI minutes.

The API PATCH was applied successfully — GitHub confirmed state=configured with a new run ID. The codeql.yml file is now removed to eliminate the drift finding and prevent double-scanning.

Note on compliance audit 403 errors

The weekly compliance audit has been returning 403 when attempting to read the CodeQL default setup state via GET /repos/.../code-scanning/default-setup. This is a token-scope issue in the audit runner (requires security_events or Administration: write to read code-scanning settings), not a repo configuration problem. The GitHub-managed setup itself is configured — a direct API call confirms {"state":"configured"}. Once the audit token is updated with the correct scope, the finding should auto-close.

Closes #168

Generated with Claude Code

Per ci-standards §2, CodeQL must use GitHub-managed default setup, not
an inline workflow file. The per-repo codeql.yml is classified as drift
now that default setup is configured (state=configured, query_suite=default).

Enabled GitHub-managed default setup via:
  gh api -X PATCH repos/petry-projects/google-app-scripts/code-scanning/default-setup \
    -F state=configured -F query_suite=default

Closes #168

Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Copilot AI review requested due to automatic review settings April 18, 2026 18:52
@coderabbitai

coderabbitai Bot commented Apr 18, 2026

Copy link
Copy Markdown

Warning

Rate limit exceeded

@github-actions[bot] has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 56 minutes and 13 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 56 minutes and 13 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: cd116706-ea7a-4061-9e7e-6939bc2caccb

📥 Commits

Reviewing files that changed from the base of the PR and between 56ee75a and 95f6983.

📒 Files selected for processing (1)
  • .github/workflows/codeql.yml
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch claude/issue-168-20260418-1849

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@don-petry

Copy link
Copy Markdown
Collaborator Author

@don-petry — PR is ready for review. This removes the drift codeql.yml and confirms GitHub-managed CodeQL default setup is enabled (state=configured). Please review and merge when ready.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Removes the repository-scoped CodeQL workflow so the repo relies solely on GitHub-managed CodeQL default setup (to avoid “drift” and double-scanning).

Changes:

  • Deleted .github/workflows/codeql.yml to eliminate per-repo CodeQL workflow configuration.
  • Leaves CodeQL configuration to GitHub-managed default setup (configured out-of-band via API, per PR description).

@sonarqubecloud

Copy link
Copy Markdown

@don-petry

Copy link
Copy Markdown
Collaborator Author

Closing as duplicate of #216 — same fix for issue #187. The newest attempt is kept open.

@don-petry don-petry closed this May 3, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Compliance: codeql-default-setup-not-configured

2 participants