From a3f9678ec391ec9c10ea18bc54b0f2b762ff8eff Mon Sep 17 00:00:00 2001
From: Jon Langevin <codingsloth@pm.me>
Date: Mon, 23 Feb 2026 00:24:12 -0500
Subject: [PATCH 1/2] ci: replace default CodeQL setup with custom workflow
 that sets GOPRIVATE
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The default CodeQL setup doesn't support custom environment variables,
so Go autobuild fails with a checksum mismatch when fetching
GoCodeAlone/yaegi from the module proxy — the proxy-served hash differs
from the go.sum entry generated via direct fetch.

All other CI jobs already set GOPRIVATE and GONOSUMCHECK to handle this.
This replaces the default setup with an explicit workflow that does the
same, matching the existing ci.yml configuration.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .github/workflows/codeql.yml | 74 ++++++++++++++++++++++++++++++++++++
 1 file changed, 74 insertions(+)
 create mode 100644 .github/workflows/codeql.yml

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
new file mode 100644
index 00000000..b420f223
--- /dev/null
+++ b/.github/workflows/codeql.yml
@@ -0,0 +1,74 @@
+name: "CodeQL"
+
+on:
+  push:
+    branches: [ main, develop ]
+  pull_request:
+    branches: [ main, develop ]
+  schedule:
+    - cron: '0 6 * * 1'  # Weekly Monday 6am UTC
+
+permissions:
+  contents: read
+  security-events: write
+
+env:
+  GOPRIVATE: github.com/GoCodeAlone/*
+  GONOSUMCHECK: github.com/GoCodeAlone/*
+
+jobs:
+  analyze:
+    name: Analyze (${{ matrix.language }})
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      contents: read
+      packages: read
+
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - language: go
+            build-mode: autobuild
+          - language: javascript-typescript
+            build-mode: none
+          - language: actions
+            build-mode: none
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+
+    - name: Set up Go
+      if: matrix.language == 'go'
+      uses: actions/setup-go@v5
+      with:
+        go-version: '1.26'
+        cache: true
+
+    - name: Set up Node.js
+      if: matrix.language == 'go'
+      uses: actions/setup-node@v4
+      with:
+        node-version: '20'
+        registry-url: 'https://npm.pkg.github.com'
+        cache: 'npm'
+        cache-dependency-path: ui/package-lock.json
+
+    - name: Build UI assets
+      if: matrix.language == 'go'
+      run: cd ui && npm ci && npm run build
+      env:
+        NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v4
+      with:
+        languages: ${{ matrix.language }}
+        build-mode: ${{ matrix.build-mode }}
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v4
+      with:
+        category: "/language:${{ matrix.language }}"

From fccde9f06473c575c12432f05590664c67d7602f Mon Sep 17 00:00:00 2001
From: Jonathan Langevin <codingsloth@pm.me>
Date: Mon, 23 Feb 2026 01:17:17 -0500
Subject: [PATCH 2/2] Update .github/workflows/codeql.yml

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
---
 .github/workflows/codeql.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index b420f223..15301308 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -10,6 +10,7 @@ on:
 
 permissions:
   contents: read
+  actions: read
   security-events: write
 
 env: