ci: remove drift codeql.yml and enable GitHub-managed default setup#216
Conversation
|
Warning Rate limit exceeded
You’ve run out of usage credits. Purchase more in the billing tab. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
@don-petry — PR is ready for review. All CI checks are passing (CodeQL/SonarCloud/Playwright still running but the core checks are green). This removes the drift |
There was a problem hiding this comment.
Pull request overview
Removes the repository’s inline CodeQL workflow to comply with the org CI standard that mandates GitHub-managed CodeQL default setup (configured out-of-band via API), avoiding duplicate CodeQL runs and billing.
Changes:
- Deleted
.github/workflows/codeql.ymlto eliminate workflow “drift” and prevent parallel CodeQL execution alongside GitHub-managed default setup.
|
Auto-rebase failed — merge conflict — this branch has conflicts with Please resolve the conflicts and push: |
Per ci-standards §2, the GitHub-managed default setup is the required approach for CodeQL scanning. A per-repo codeql.yml is treated as drift by the compliance audit and causes double CI billing when both run. Enabled default setup via API (state=configured, query_suite=default, run_id=24189972152). Removes the inline codeql.yml workflow file. Closes #168 Co-authored-by: don-petry <don-petry@users.noreply.github.com>
54f9cb3 to
eeb2bfe
Compare
|
donpetry-bot
left a comment
There was a problem hiding this comment.
Automated review — APPROVED ✓
Risk: LOW
Reviewed commit: fd31e8c3f906f72db5f87dae3edb7e465ad9bf8e
Review mode: triage-approved (single reviewer)
Summary
CI-only change: deletes .github/workflows/codeql.yml (−42, +0) so the repo conforms to ci-standards §2, which requires GitHub-managed CodeQL default setup and treats a per-repo codeql.yml as drift (with the side effect of double CI billing). Triage flagged this as low-risk; this confirmation review agrees.
Linked issue analysis
Closes #168 — a compliance-audit finding (codeql-default-setup-not-configured) asking for the default setup to be enabled. The PR body documents that default setup was configured via API (state=configured, query_suite=default, run_id=24189972152), and the live status checks corroborate this: CodeQL Analyze jobs are running for actions, javascript-typescript, and python — but the deleted inline workflow only covered actions and javascript-typescript. The presence of the python check confirms the GitHub-managed default setup is the one running, so removing the inline file will not reduce coverage; it just stops the duplicate run.
Findings
None. The change is a pure deletion of a workflow file that is now redundant with the configured default setup. No code, dependencies, secrets, migrations, or runtime behavior affected.
CI status
- ✅ Analyze (actions) — CodeQL
- ✅ Analyze (javascript-typescript) — CodeQL
- ✅ Analyze (python) — CodeQL (default setup)
- ✅ CodeQL (rollup)
- ✅ CodeRabbit
- ✅ SonarCloud Quality Gate passed (0 new issues, 0 hotspots)
Copilot's prior review summary endorses the same rationale. CodeRabbit hit a rate limit and did not post substantive findings, which is not blocking. mergeStateStatus is BLOCKED only because a human review is required; mergeable is MERGEABLE.
Reviewed automatically by the PR-review agent (single-reviewer mode: opus 4.7). Reply if you need a human review.
|



Summary
state=configured,query_suite=default) — API confirmed success withrun_id: 24189972152.github/workflows/codeql.yml— per ci-standards §2, this file is drift; GitHub-managed default setup and a per-repo workflow are mutually exclusive, and leaving both causes double CI billingContext
Per ci-standards §2, CodeQL must be configured via GitHub-managed default setup, not an inline workflow file. A per-repo
codeql.ymlis explicitly flagged as drift by the compliance audit.The compliance audit was reporting 403 errors when reading the CodeQL state — this is a known token-scope limitation of the audit runner (
security_eventsorAdministration: writeis required to read the endpoint). The default setup itself is now configured.Closes #168
Generated with Claude Code