Skip to content

ci: remove drift codeql.yml and enable GitHub-managed default setup#216

Merged
don-petry merged 9 commits into
mainfrom
claude/issue-168-20260419-2233
May 21, 2026
Merged

ci: remove drift codeql.yml and enable GitHub-managed default setup#216
don-petry merged 9 commits into
mainfrom
claude/issue-168-20260419-2233

Conversation

@don-petry

Copy link
Copy Markdown
Collaborator

Summary

  • Enabled GitHub-managed CodeQL default setup via API (state=configured, query_suite=default) — API confirmed success with run_id: 24189972152
  • Removed .github/workflows/codeql.yml — per ci-standards §2, this file is drift; GitHub-managed default setup and a per-repo workflow are mutually exclusive, and leaving both causes double CI billing

Context

Per ci-standards §2, CodeQL must be configured via GitHub-managed default setup, not an inline workflow file. A per-repo codeql.yml is explicitly flagged as drift by the compliance audit.

The compliance audit was reporting 403 errors when reading the CodeQL state — this is a known token-scope limitation of the audit runner (security_events or Administration: write is required to read the endpoint). The default setup itself is now configured.

Closes #168

Generated with Claude Code

Copilot AI review requested due to automatic review settings April 19, 2026 22:34
@coderabbitai

coderabbitai Bot commented Apr 19, 2026

Copy link
Copy Markdown

Warning

Rate limit exceeded

@don-petry has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 59 minutes and 56 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: f5c92934-8ba0-4fdd-abd1-eb43e5ffdb68

📥 Commits

Reviewing files that changed from the base of the PR and between b62abed and aacaf86.

📒 Files selected for processing (1)
  • .github/workflows/codeql.yml
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch claude/issue-168-20260419-2233

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@don-petry

Copy link
Copy Markdown
Collaborator Author

@don-petry — PR is ready for review. All CI checks are passing (CodeQL/SonarCloud/Playwright still running but the core checks are green). This removes the drift codeql.yml and enables GitHub-managed default setup, which is the fix required by the compliance audit.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Removes the repository’s inline CodeQL workflow to comply with the org CI standard that mandates GitHub-managed CodeQL default setup (configured out-of-band via API), avoiding duplicate CodeQL runs and billing.

Changes:

  • Deleted .github/workflows/codeql.yml to eliminate workflow “drift” and prevent parallel CodeQL execution alongside GitHub-managed default setup.

@github-actions

github-actions Bot commented May 4, 2026

Copy link
Copy Markdown
Contributor

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved manually.

Please resolve the conflicts and push:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

Per ci-standards §2, the GitHub-managed default setup is the required
approach for CodeQL scanning. A per-repo codeql.yml is treated as drift
by the compliance audit and causes double CI billing when both run.

Enabled default setup via API (state=configured, query_suite=default,
run_id=24189972152). Removes the inline codeql.yml workflow file.

Closes #168

Co-authored-by: don-petry <don-petry@users.noreply.github.com>
@don-petry don-petry force-pushed the claude/issue-168-20260419-2233 branch from 54f9cb3 to eeb2bfe Compare May 13, 2026 17:05
@don-petry don-petry requested a review from a team as a code owner May 13, 2026 17:05
@sonarqubecloud

Copy link
Copy Markdown

@donpetry-bot donpetry-bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Automated review — APPROVED ✓

Risk: LOW
Reviewed commit: fd31e8c3f906f72db5f87dae3edb7e465ad9bf8e
Review mode: triage-approved (single reviewer)

Summary

CI-only change: deletes .github/workflows/codeql.yml (−42, +0) so the repo conforms to ci-standards §2, which requires GitHub-managed CodeQL default setup and treats a per-repo codeql.yml as drift (with the side effect of double CI billing). Triage flagged this as low-risk; this confirmation review agrees.

Linked issue analysis

Closes #168 — a compliance-audit finding (codeql-default-setup-not-configured) asking for the default setup to be enabled. The PR body documents that default setup was configured via API (state=configured, query_suite=default, run_id=24189972152), and the live status checks corroborate this: CodeQL Analyze jobs are running for actions, javascript-typescript, and python — but the deleted inline workflow only covered actions and javascript-typescript. The presence of the python check confirms the GitHub-managed default setup is the one running, so removing the inline file will not reduce coverage; it just stops the duplicate run.

Findings

None. The change is a pure deletion of a workflow file that is now redundant with the configured default setup. No code, dependencies, secrets, migrations, or runtime behavior affected.

CI status

  • ✅ Analyze (actions) — CodeQL
  • ✅ Analyze (javascript-typescript) — CodeQL
  • ✅ Analyze (python) — CodeQL (default setup)
  • ✅ CodeQL (rollup)
  • ✅ CodeRabbit
  • ✅ SonarCloud Quality Gate passed (0 new issues, 0 hotspots)

Copilot's prior review summary endorses the same rationale. CodeRabbit hit a rate limit and did not post substantive findings, which is not blocking. mergeStateStatus is BLOCKED only because a human review is required; mergeable is MERGEABLE.


Reviewed automatically by the PR-review agent (single-reviewer mode: opus 4.7). Reply if you need a human review.

@sonarqubecloud

Copy link
Copy Markdown

@don-petry don-petry merged commit 1f31eeb into main May 21, 2026
24 of 25 checks passed
@don-petry don-petry deleted the claude/issue-168-20260419-2233 branch May 21, 2026 08:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Compliance: codeql-default-setup-not-configured

3 participants