ci: remove drift codeql.yml — GitHub-managed default setup is configured#114
ci: remove drift codeql.yml — GitHub-managed default setup is configured#114don-petry wants to merge 16 commits into
Conversation
|
Warning Review limit reached
More reviews will be available in 57 minutes and 40 seconds. Learn how PR review limits work. Your organization has run out of usage credits. Purchase more in the billing tab. ⌛ How to resolve this issue?After more reviews become available, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available. Please see our Fair Usage Limits Policy for further information. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
@don-petry — PR is ready for review and merge. This removes the drift |
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Removes the repository-level CodeQL workflow to eliminate drift from org CI standards and avoid double-running CodeQL when GitHub-managed default setup is already configured.
Changes:
- Deleted
.github/workflows/codeql.ymlto rely exclusively on GitHub-managed CodeQL default setup.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
Auto-rebase failed — merge conflict — this branch has conflicts with Please resolve the conflicts and push: |
don-petry
left a comment
There was a problem hiding this comment.
Automated review — NEEDS HUMAN REVIEW
Risk: MEDIUM
Reviewed commit: 0c72d7d08ffd0049596a8e823251e629a622a384
Cascade: triage → audit (see triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6 for models)
Summary
The change itself is org-standard-compliant — GitHub-managed CodeQL default setup is verified configured (state: configured, languages: [actions], query_suite: default) and ci-standards.md §2 explicitly requires deleting per-repo codeql.yml as drift. However, this PR cannot be merged: it has a merge conflict, lacks human approval, and is incomplete because it does not update apply-code-quality-ruleset.sh (which still hardcodes 'Analyze (actions)' as a required check — running that script post-merge would block all future PRs). PR #126 supersedes this with a more complete fix addressing both issues atomically.
Findings
Major
- [major]
merge-state— Branch has merge conflict (mergeable: CONFLICTING, mergeStateStatus: DIRTY). Auto-rebase failed 2026-04-21. Hard blocker — PR cannot be merged as-is. - [major]
.github/scripts/apply-code-quality-ruleset.sh:55— Script still hardcodes'Analyze (actions)'as a required status check. After this PR merges, that check name will no longer be produced — only'CodeQL'from managed default setup. If anyone runs the script, it will regress the live ruleset and block all future PRs from merging. PR #126 fixes both files atomically.
Minor
- [minor]
review-process— No human approvals (reviewDecision: REVIEW_REQUIRED). CODEOWNERS requires @don-petry but @don-petry is the PR author — self-review pattern on a security-scanning change. Only automated reviewers commented (Copilot COMMENTED, CodeRabbit rate-limited). - [minor]
superseded— PR #126 (branchclaude/issue-92-20260419-1733) supersedes this PR with a more complete fix: it deletes codeql.yml AND updates apply-code-quality-ruleset.sh to require'CodeQL'instead of'Analyze (actions)'. This PR should be closed in favor of #126 (though #126 also has merge conflicts that need resolution).
Info
- [info]
.github/workflows/codeql.yml— Deleted workflow used SHA-pinned action references. GitHub-managed default setup does not expose SHA pinning. The org standard (ci-standards.md §2) explicitly accepts this tradeoff. - [info]
security-posture-verified— GitHub-managed CodeQL default setup independently verified as configured via API: state=configured, languages=[actions], query_suite=default, updated_at=2026-04-09. The compliance audit 403 is a token-permissions issue (PAT lacks security_events:read), not a state issue. All CI checks passed including both CodeQL scans.
CI status
All CI checks passed at the reviewed commit.
Reviewed by the don-petry PR-review cascade (triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6). Reply with @don-petry if you need a human.
Superseded by automated re-review at
|
GitHub-managed CodeQL default setup is already in state `configured` (languages: actions, query_suite: default) per org standard §2. Per ci-standards.md §2, per-repo codeql.yml files are treated as drift by the compliance audit. Having both the workflow file and default setup causes double CI billing and coexistence is not supported. Closes #92 Co-authored-by: don-petry <don-petry@users.noreply.github.com>
0c72d7d to
a4d2591
Compare
|
Review — fix requested (cycle 3/3)The automated review identified the following issues. Please address each one: Findings to fixAutomated review — NEEDS HUMAN REVIEWRisk: MEDIUM SummaryThe merge conflict flagged in cycle 1 is now resolved (three merge-main commits since prior review), but the two major gates still fail: apply-code-quality-ruleset.sh:55 still hardcodes 'Analyze (actions)' which will not exist post-merge, and no human approval has been obtained. PR #126 (the suggested atomic fix) remains open but also has merge conflicts. The PR cannot be approved until the ruleset script is corrected and a CODEOWNERS member approves. Findings
Reviewed by the PR-review cascade (triage: haiku 4.5 → deep: sonnet 4.6 + duck: o4-mini → audit: opus 4.7). Reply if you need a human review. Additional tasks
The review cascade will automatically re-review after new commits are pushed. |
|
Auto-rebase failed — merge conflict — this branch has conflicts with dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
|
Auto-rebase failed — merge conflict — this branch has conflicts with dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
|
@dev-lead - please fix this PR |
|
Auto-rebase failed — merge conflict — this branch has conflicts with dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
|
Auto-rebase failed — merge conflict — this branch has conflicts with dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
|
Auto-rebase failed — merge conflict — this branch has conflicts with dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
|
Auto-rebase failed — merge conflict — this branch has conflicts with dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
Dev-Lead — review-changes (applied)Changes committed and pushed. |
|
Dev-Lead — review-changes (applied)Changes committed and pushed. |
|
Auto-rebase failed — merge conflict — this branch has conflicts with dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
|
Auto-rebase failed — merge conflict — this branch has conflicts with dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
Automated review — human attention neededThis PR has been through 3 automated review cycles (cap: 3) without converging on an approval-and-merge state. Further automated review has been paused to avoid infinite loops. Please take a look manually, or close this PR if it's no longer needed. Once a human review resolves the situation, remove the Posted by the donpetry-bot PR-review cascade. |
|
Auto-rebase failed — merge conflict — this branch has conflicts with dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
|
Auto-rebase failed — merge conflict — this branch has conflicts with dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
|
Closing due to merge conflict that cannot be auto-rebased. Re-implementing from fresh main via dev-lead. |
Pull request was closed



Summary
.github/workflows/codeql.ymlwhich is drift per org standard §2configured(languages: ["actions"],query_suite: default)codeql.ymland default setup active simultaneously causes double CI billing and is explicitly disallowedWhy the compliance audit still shows 403
The compliance audit's PAT lacks
security_events: readpermission (fine-grained) orreposcope (classic), causing it to get HTTP 403 when calling/code-scanning/default-setup. This is an org-level infra issue with the audit's token — the setup itself is configured. Removing the drift file is the repo-side fix; the token permission fix needs to happen in the.githuborg repo's secrets.Test plan
gh api repos/petry-projects/markets/code-scanning/default-setup→state: configuredcodeql.ymldeleted; no more double-scan billingCloses #92
Generated with Claude Code