Skip to content

ci: add CodeQL analysis for Python and GitHub Actions#1053

Merged
Aaron ("AJ") Steers (aaronsteers) merged 6 commits into
mainfrom
devin/1783103177-add-codeql
Jul 5, 2026
Merged

ci: add CodeQL analysis for Python and GitHub Actions#1053
Aaron ("AJ") Steers (aaronsteers) merged 6 commits into
mainfrom
devin/1783103177-add-codeql

Conversation

@aaronsteers

@aaronsteers Aaron ("AJ") Steers (aaronsteers) commented Jul 3, 2026

Copy link
Copy Markdown
Member

Summary

Adds CodeQL security scanning with python and actions language analyzers using the security-and-quality query suite.

The actions analyzer detects GitHub Actions-specific vulnerabilities like script injection (actions/dangerous-action-command), missing permissions blocks, and untrusted checkout.

Runs on push/PR to main and weekly on Monday.

Link to Devin session: https://app.devin.ai/sessions/fe5d63b3474f4fe6990b6f8f7a47f8ed
Requested by: Aaron ("AJ") Steers (@aaronsteers)

Summary by CodeRabbit

  • Chores
    • Added automated CodeQL security checks that run on pull requests, pushes to the main branch, and on a weekly schedule.
    • Improved security scanning coverage by analyzing multiple languages/actions via a job matrix.
    • Updated workflow execution to prevent overlapping runs and streamline newer check results.

Important

Auto-merge enabled.

This PR is set to merge automatically when all requirements are met.

devin-ai-integration Bot and others added 2 commits July 3, 2026 18:27
Enables CodeQL security scanning with python and actions language
analyzers using the security-and-quality query suite. The actions
analyzer detects workflow vulnerabilities like script injection,
missing permissions, and untrusted checkout.

Co-Authored-By: AJ Steers <aj@airbyte.io>
Co-Authored-By: AJ Steers <aj@airbyte.io>
@devin-ai-integration

Copy link
Copy Markdown
Contributor

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

  • Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
  • Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

  • Disable automatic comment, CI, and merge conflict monitoring

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown

👋 Greetings, Airbyte Team Member!

Here are some helpful tips and reminders for your convenience.

💡 Show Tips and Tricks

Testing This PyAirbyte Version

You can test this version of PyAirbyte using the following:

# Run PyAirbyte CLI from this branch:
uvx --from 'git+https://github.com/airbytehq/PyAirbyte.git@devin/1783103177-add-codeql' pyairbyte --help

# Install PyAirbyte from this branch for development:
pip install 'git+https://github.com/airbytehq/PyAirbyte.git@devin/1783103177-add-codeql'

PR Slash Commands

Airbyte Maintainers can execute the following slash commands on your PR:

  • /fix-pr - Fixes most formatting and linting issues
  • /uv-lock - Updates uv.lock file
  • /test-pr - Runs tests with the updated PyAirbyte
  • /prerelease - Builds and publishes a prerelease version to PyPI
📚 Show Repo Guidance

Helpful Resources

Community Support

Questions? Join the #pyairbyte channel in our Slack workspace.

📝 Edit this welcome message.

@devin-ai-integration devin-ai-integration Bot marked this pull request as ready for review July 3, 2026 18:31

@devin-ai-integration devin-ai-integration Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no bugs or issues to report.

Open in Devin Review

@coderabbitai

coderabbitai Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Warning

Review limit reached

@devin-ai-integration[bot], you've reached your PR review limit, so we couldn't start this review.

Next review available in: 39 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 3f8b6821-0ea1-4746-ab8e-8b2d95b8546a

📥 Commits

Reviewing files that changed from the base of the PR and between c80f505 and 21a007a.

📒 Files selected for processing (2)
  • .github/codeql/codeql-config.yml
  • .github/workflows/codeql-vulnerability-checks.yml
📝 Walkthrough

Walkthrough

Adds a new GitHub Actions workflow for CodeQL vulnerability checks on pushes, pull requests, and a weekly schedule. It runs a matrix job for python and actions with CodeQL init and analyze steps.

Changes

CodeQL Workflow Setup

Layer / File(s) Summary
CodeQL workflow definition
.github/workflows/codeql-vulnerability-checks.yml
Defines the workflow triggers, concurrency control, job permissions, matrix language selection, checkout setup, and CodeQL init/analyze steps.

Estimated code review effort: 1 (Trivial) | ~5 minutes

Related Issues: None provided.

Suggested labels: ci, security

Suggested reviewers: None provided.

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly matches the main change: adding CodeQL analysis for Python and GitHub Actions.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch devin/1783103177-add-codeql

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
.github/workflows/codeql.yml (1)

30-41: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Could you pin actions/checkout and github/codeql-action to reviewed SHAs, and bump CodeQL from @v3 to @v4? In .github/workflows/codeql.yml, the workflow still relies on mutable major tags; pinning them would better match the supply-chain hardening this job is meant to provide.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/codeql.yml around lines 30 - 41, The CodeQL workflow is
still using mutable action tags, so update the checkout and CodeQL steps in the
workflow to reference reviewed commit SHAs instead of version tags. Locate the
`actions/checkout` usage and the `github/codeql-action/init` and
`github/codeql-action/analyze` steps, pin each to a reviewed SHA, and bump the
CodeQL action reference from v3 to v4 while keeping the existing workflow
behavior unchanged.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In @.github/workflows/codeql.yml:
- Around line 30-41: The CodeQL workflow is still using mutable action tags, so
update the checkout and CodeQL steps in the workflow to reference reviewed
commit SHAs instead of version tags. Locate the `actions/checkout` usage and the
`github/codeql-action/init` and `github/codeql-action/analyze` steps, pin each
to a reviewed SHA, and bump the CodeQL action reference from v3 to v4 while
keeping the existing workflow behavior unchanged.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 9688765f-31ae-4fa3-82ec-8968c2e4ecad

📥 Commits

Reviewing files that changed from the base of the PR and between 1e2d7d8 and d611e9c.

📒 Files selected for processing (1)
  • .github/workflows/codeql.yml

@github-code-quality

github-code-quality Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Code Coverage Overview

Languages: Python

Python / code-coverage/pytest-fast

The overall coverage in the branch is 67%. The coverage in the branch is 65%.

Show a code coverage summary of the most impacted files.
File d9f652f 21a007a +/-
airbyte/_util/api_util.py 36% 37% +1%
airbyte/registry.py 70% 72% +2%
airbyte/mcp/_tool_utils.py 72% 77% +5%
airbyte/mcp/int...c_history_ui.py 0% 36% +36%
airbyte/mcp/int...hared_models.py 0% 81% +81%
airbyte/cloud/models.py 0% 91% +91%
airbyte/mcp/int..._registry_ui.py 0% 92% +92%
airbyte/mcp/int...nc_status_ui.py 0% 97% +97%
airbyte/mcp/int...ive/__init__.py 0% 100% +100%
airbyte/mcp/int...tive/_prefab.py 0% 100% +100%

Python / code-coverage/pytest-no-creds

The overall coverage in the branch is 67%. The coverage in the branch is 65%.

Show a code coverage summary of the most impacted files.
File d9f652f 21a007a +/-
airbyte/_util/api_util.py 36% 37% +1%
airbyte/registry.py 70% 72% +2%
airbyte/mcp/_tool_utils.py 72% 77% +5%
airbyte/mcp/int...c_history_ui.py 0% 36% +36%
airbyte/mcp/int...hared_models.py 0% 81% +81%
airbyte/cloud/models.py 0% 91% +91%
airbyte/mcp/int..._registry_ui.py 0% 92% +92%
airbyte/mcp/int...nc_status_ui.py 0% 97% +97%
airbyte/mcp/int...ive/__init__.py 0% 100% +100%
airbyte/mcp/int...tive/_prefab.py 0% 100% +100%

Python / code-coverage/pytest

The overall coverage in the branch is 72%. The coverage in the branch is 71%.

Show a code coverage summary of the most impacted files.
File d9f652f 21a007a +/-
airbyte/registry.py 70% 72% +2%
airbyte/mcp/_tool_utils.py 72% 77% +5%
airbyte/mcp/server.py 69% 76% +7%
airbyte/mcp/int...c_history_ui.py 0% 36% +36%
airbyte/mcp/int...hared_models.py 0% 81% +81%
airbyte/mcp/int..._registry_ui.py 0% 92% +92%
airbyte/cloud/models.py 0% 93% +93%
airbyte/mcp/int...nc_status_ui.py 0% 97% +97%
airbyte/mcp/int...ive/__init__.py 0% 100% +100%
airbyte/mcp/int...tive/_prefab.py 0% 100% +100%

Updated July 05, 2026 09:22 UTC
Code Coverage is in Public Preview. Learn more and provide us with your feedback.

Copilot AI review requested due to automatic review settings July 5, 2026 08:36
@aaronsteers Aaron ("AJ") Steers (aaronsteers) removed the request for review from Copilot July 5, 2026 08:36

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
.github/workflows/codeql-vulnerability-checks.yml (1)

32-32: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Consider upgrading to codeql-action v4.

github/codeql-action v3 is scheduled for deprecation in December 2026 and already surfaces Node.js 20 deprecation warnings in workflow runs today. Since v4 has been GA since October 2025 with no breaking changes for this basic setup, would it make sense to pin init/analyze (and actions/checkout, already on v4) to @v4 now to avoid a forced migration later, wdyt?

♻️ Suggested version bump
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v3
+        uses: github/codeql-action/init@v4
         with:
           languages: ${{ matrix.language }}
           queries: security-and-quality

       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v3
+        uses: github/codeql-action/analyze@v4
         with:
           category: "/language:${{ matrix.language }}"

Also applies to: 37-37, 43-43

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/codeql-vulnerability-checks.yml at line 32, The workflow
is still using the older codeql-action version, so update the CodeQL setup steps
to the v4 release alongside the existing actions/checkout v4 pin. In the
codeql-vulnerability-checks workflow, change the action references for the code
scanning initialization and analysis steps (the ones using the CodeQL
init/analyze actions) to `@v4` so the workflow stays current and avoids the
upcoming deprecation.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In @.github/workflows/codeql-vulnerability-checks.yml:
- Line 32: The workflow is still using the older codeql-action version, so
update the CodeQL setup steps to the v4 release alongside the existing
actions/checkout v4 pin. In the codeql-vulnerability-checks workflow, change the
action references for the code scanning initialization and analysis steps (the
ones using the CodeQL init/analyze actions) to `@v4` so the workflow stays current
and avoids the upcoming deprecation.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 3610aa5e-38df-4d07-9407-03eceaf978c8

📥 Commits

Reviewing files that changed from the base of the PR and between d611e9c and e14d0b8.

📒 Files selected for processing (1)
  • .github/workflows/codeql-vulnerability-checks.yml

Comment thread .github/workflows/codeql-vulnerability-checks.yml
Co-Authored-By: AJ Steers <aj@airbyte.io>
Copilot AI review requested due to automatic review settings July 5, 2026 08:38
@aaronsteers Aaron ("AJ") Steers (aaronsteers) removed the request for review from Copilot July 5, 2026 08:38
Co-Authored-By: AJ Steers <aj@airbyte.io>
Copilot AI review requested due to automatic review settings July 5, 2026 08:43
@aaronsteers Aaron ("AJ") Steers (aaronsteers) removed the request for review from Copilot July 5, 2026 08:43
Co-Authored-By: AJ Steers <aj@airbyte.io>
Copilot AI review requested due to automatic review settings July 5, 2026 08:57
@aaronsteers Aaron ("AJ") Steers (aaronsteers) removed the request for review from Copilot July 5, 2026 08:57
@aaronsteers Aaron ("AJ") Steers (aaronsteers) merged commit 15ca9ab into main Jul 5, 2026
22 checks passed
@aaronsteers Aaron ("AJ") Steers (aaronsteers) deleted the devin/1783103177-add-codeql branch July 5, 2026 09:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant