Skip to content

ci: remove drift codeql.yml — GitHub-managed default setup is configured#114

Closed
don-petry wants to merge 16 commits into
mainfrom
claude/issue-92-20260418-1841
Closed

ci: remove drift codeql.yml — GitHub-managed default setup is configured#114
don-petry wants to merge 16 commits into
mainfrom
claude/issue-92-20260418-1841

Conversation

@don-petry

Copy link
Copy Markdown
Contributor

Summary

  • Deletes .github/workflows/codeql.yml which is drift per org standard §2
  • GitHub-managed CodeQL default setup is already in state configured (languages: ["actions"], query_suite: default)
  • Per ci-standards.md §2, having both a per-repo codeql.yml and default setup active simultaneously causes double CI billing and is explicitly disallowed

Why the compliance audit still shows 403

The compliance audit's PAT lacks security_events: read permission (fine-grained) or repo scope (classic), causing it to get HTTP 403 when calling /code-scanning/default-setup. This is an org-level infra issue with the audit's token — the setup itself is configured. Removing the drift file is the repo-side fix; the token permission fix needs to happen in the .github org repo's secrets.

Test plan

  • Verified GitHub-managed default setup state via gh api repos/petry-projects/markets/code-scanning/default-setupstate: configured
  • codeql.yml deleted; no more double-scan billing
  • Compliance audit will close the finding once the audit token permissions are corrected at org level

Closes #92

Generated with Claude Code

Copilot AI review requested due to automatic review settings April 18, 2026 18:44
@coderabbitai

coderabbitai Bot commented Apr 18, 2026

Copy link
Copy Markdown

Warning

Review limit reached

@don-petry, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 57 minutes and 40 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: b1e6f9c0-e7cc-4272-a4e0-a93fafd61bd8

📥 Commits

Reviewing files that changed from the base of the PR and between d8da2d2 and 87fc080.

📒 Files selected for processing (1)
  • .gitignore
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch claude/issue-92-20260418-1841

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@don-petry

Copy link
Copy Markdown
Contributor Author

@don-petry — PR is ready for review and merge. This removes the drift codeql.yml workflow file; GitHub-managed CodeQL default setup is already configured. The compliance audit 403 errors are a token-permissions issue in the audit infra (the audit's PAT needs security_events: read or repo scope) — that's the remaining blocker for the weekly check to stop firing.

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Removes the repository-level CodeQL workflow to eliminate drift from org CI standards and avoid double-running CodeQL when GitHub-managed default setup is already configured.

Changes:

  • Deleted .github/workflows/codeql.yml to rely exclusively on GitHub-managed CodeQL default setup.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@github-actions

Copy link
Copy Markdown
Contributor

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved manually.

Please resolve the conflicts and push:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

@don-petry don-petry left a comment

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Automated review — NEEDS HUMAN REVIEW

Risk: MEDIUM
Reviewed commit: 0c72d7d08ffd0049596a8e823251e629a622a384
Cascade: triage → audit (see triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6 for models)

Summary

The change itself is org-standard-compliant — GitHub-managed CodeQL default setup is verified configured (state: configured, languages: [actions], query_suite: default) and ci-standards.md §2 explicitly requires deleting per-repo codeql.yml as drift. However, this PR cannot be merged: it has a merge conflict, lacks human approval, and is incomplete because it does not update apply-code-quality-ruleset.sh (which still hardcodes 'Analyze (actions)' as a required check — running that script post-merge would block all future PRs). PR #126 supersedes this with a more complete fix addressing both issues atomically.

Findings

Major

  • [major] merge-state — Branch has merge conflict (mergeable: CONFLICTING, mergeStateStatus: DIRTY). Auto-rebase failed 2026-04-21. Hard blocker — PR cannot be merged as-is.
  • [major] .github/scripts/apply-code-quality-ruleset.sh:55 — Script still hardcodes 'Analyze (actions)' as a required status check. After this PR merges, that check name will no longer be produced — only 'CodeQL' from managed default setup. If anyone runs the script, it will regress the live ruleset and block all future PRs from merging. PR #126 fixes both files atomically.

Minor

  • [minor] review-process — No human approvals (reviewDecision: REVIEW_REQUIRED). CODEOWNERS requires @don-petry but @don-petry is the PR author — self-review pattern on a security-scanning change. Only automated reviewers commented (Copilot COMMENTED, CodeRabbit rate-limited).
  • [minor] superseded — PR #126 (branch claude/issue-92-20260419-1733) supersedes this PR with a more complete fix: it deletes codeql.yml AND updates apply-code-quality-ruleset.sh to require 'CodeQL' instead of 'Analyze (actions)'. This PR should be closed in favor of #126 (though #126 also has merge conflicts that need resolution).

Info

  • [info] .github/workflows/codeql.yml — Deleted workflow used SHA-pinned action references. GitHub-managed default setup does not expose SHA pinning. The org standard (ci-standards.md §2) explicitly accepts this tradeoff.
  • [info] security-posture-verified — GitHub-managed CodeQL default setup independently verified as configured via API: state=configured, languages=[actions], query_suite=default, updated_at=2026-04-09. The compliance audit 403 is a token-permissions issue (PAT lacks security_events:read), not a state issue. All CI checks passed including both CodeQL scans.

CI status

All CI checks passed at the reviewed commit.


Reviewed by the don-petry PR-review cascade (triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6). Reply with @don-petry if you need a human.

@don-petry

don-petry commented Apr 21, 2026

Copy link
Copy Markdown
Contributor Author
Superseded by automated re-review at 6061d33b97014c8a4eeaf2fee91fe5452c5c2d6a — click to expand prior review.

Review — fix requested (cycle 1/3)

The automated review identified the following issues. Please address each one:

Findings to fix

Additional tasks

  1. Resolve all unresolved review thread comments from other reviewers
  2. Ensure all CI checks pass after your changes
  3. Rebase on main if the branch is behind
  4. Do NOT modify files unrelated to the findings above

The review cascade will automatically re-review after new commits are pushed.

GitHub-managed CodeQL default setup is already in state `configured`
(languages: actions, query_suite: default) per org standard §2.

Per ci-standards.md §2, per-repo codeql.yml files are treated as drift
by the compliance audit. Having both the workflow file and default setup
causes double CI billing and coexistence is not supported.

Closes #92

Co-authored-by: don-petry <don-petry@users.noreply.github.com>
@don-petry don-petry force-pushed the claude/issue-92-20260418-1841 branch from 0c72d7d to a4d2591 Compare May 13, 2026 17:08
@don-petry don-petry requested a review from a team as a code owner May 13, 2026 17:08
@sonarqubecloud

Copy link
Copy Markdown

@donpetry-bot

Copy link
Copy Markdown
Contributor

Review — fix requested (cycle 3/3)

The automated review identified the following issues. Please address each one:

Findings to fix

Automated review — NEEDS HUMAN REVIEW

Risk: MEDIUM
Reviewed commit: 6061d33b97014c8a4eeaf2fee91fe5452c5c2d6a
Cascade: triage → deep (triage: haiku 4.5 → deep: sonnet 4.6 + duck: o4-mini → audit: opus 4.7)

Summary

The merge conflict flagged in cycle 1 is now resolved (three merge-main commits since prior review), but the two major gates still fail: apply-code-quality-ruleset.sh:55 still hardcodes 'Analyze (actions)' which will not exist post-merge, and no human approval has been obtained. PR #126 (the suggested atomic fix) remains open but also has merge conflicts. The PR cannot be approved until the ruleset script is corrected and a CODEOWNERS member approves.

Findings

  • MAJOR: apply-code-quality-ruleset.sh:55 still requires {context: "Analyze (actions)"}. After codeql.yml is deleted this check name will no longer be produced — only "CodeQL" from managed default setup. If any admin runs this script post-merge it will configure the live ruleset to require a check that never fires, blocking all future PRs from merging. The prior review (cycle 1) explicitly flagged this; the author pushed only merge-main commits and did not fix it. (.github/scripts/apply-code-quality-ruleset.sh:55)
  • MINOR: reviewDecision is REVIEW_REQUIRED; review requested from team petry-projects/org-leads. Author don-petry is a MEMBER but cannot self-approve. Only automated reviewers (Copilot COMMENTED, CodeRabbit rate-limited) have engaged. A human CODEOWNERS member approval is required before merge.
  • INFO: The merge conflict flagged by triage (mergeable: CONFLICTING) is now resolved. Three merge-main commits were pushed on 2026-05-13, 2026-05-15, and 2026-05-16. PR is now mergeable: MERGEABLE, blocked only by review requirements.
  • INFO: PR ci: remove drift codeql.yml and sync ruleset script to CodeQL check name #126 (claude/issue-92-20260419-1733), which deletes codeql.yml AND updates the ruleset script atomically, is still open but has mergeable: CONFLICTING / mergeStateStatus: DIRTY. Both PRs need work; closing this one in favor of ci: remove drift codeql.yml and sync ruleset script to CodeQL check name #126 remains an option if ci: remove drift codeql.yml and sync ruleset script to CodeQL check name #126's conflict is resolved first.
  • INFO: All CI checks are green at HEAD (6061d33): Analyze (actions) SUCCESS, CodeQL SUCCESS, CodeRabbit SUCCESS, SonarQube Quality Gate passed. Note that Analyze (actions) is currently produced by the still-present codeql.yml on this branch — it will disappear after merge.

Reviewed by the PR-review cascade (triage: haiku 4.5 → deep: sonnet 4.6 + duck: o4-mini → audit: opus 4.7). Reply if you need a human review.

Additional tasks

  1. Resolve all unresolved review thread comments from other reviewers
  2. Ensure all CI checks pass after your changes
  3. Rebase on the target branch if behind
  4. Do NOT modify files unrelated to the findings above

The review cascade will automatically re-review after new commits are pushed.

@don-petry

Copy link
Copy Markdown
Contributor Author

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

@don-petry

Copy link
Copy Markdown
Contributor Author

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

@don-petry

Copy link
Copy Markdown
Contributor Author

@dev-lead - please fix this PR

@don-petry

Copy link
Copy Markdown
Contributor Author

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

@don-petry

Copy link
Copy Markdown
Contributor Author

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

@don-petry

Copy link
Copy Markdown
Contributor Author

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

@don-petry

Copy link
Copy Markdown
Contributor Author

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

@don-petry

Copy link
Copy Markdown
Contributor Author

Dev-Lead — review-changes (applied)

Changes committed and pushed.

@sonarqubecloud

Copy link
Copy Markdown

@don-petry

Copy link
Copy Markdown
Contributor Author

Dev-Lead — review-changes (applied)

Changes committed and pushed.

@don-petry

Copy link
Copy Markdown
Contributor Author

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

@don-petry

Copy link
Copy Markdown
Contributor Author

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

@donpetry-bot

Copy link
Copy Markdown
Contributor

Automated review — human attention needed

This PR has been through 3 automated review cycles (cap: 3) without converging on an approval-and-merge state. Further automated review has been paused to avoid infinite loops.

Please take a look manually, or close this PR if it's no longer needed. Once a human review resolves the situation, remove the needs-human-review label and the cascade can be re-engaged on the next push.

Posted by the donpetry-bot PR-review cascade.

@don-petry

Copy link
Copy Markdown
Contributor Author

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

@don-petry

Copy link
Copy Markdown
Contributor Author

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

@don-petry

Copy link
Copy Markdown
Contributor Author

Closing due to merge conflict that cannot be auto-rebased. Re-implementing from fresh main via dev-lead.

@don-petry don-petry closed this Jun 2, 2026
auto-merge was automatically disabled June 2, 2026 12:19

Pull request was closed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Compliance: codeql-default-setup-not-configured

3 participants