ci(codeql): switch to advanced setup so fork PRs are scanned

[DorianZheng]

Why

CodeQL default setup does not analyze pull requests from forks. The main/release rulesets require CodeQL code scanning results, so fork PRs can remain blocked waiting for results that never arrive.

This PR adds a CodeQL advanced-setup workflow that can run on pull_request once default setup is disabled.

What

• Adds .github/workflows/codeql.yml with a matrix over the analyzed languages: actions, c-cpp, go, javascript-typescript, python, and rust.
• Uses build-mode: none where CodeQL supports source-only analysis.
• Uses build-mode: autobuild for Go because Go does not support none.
• Uses github/codeql-action@v4 and actions/checkout@v6.
• Disables checkout credential persistence with persist-credentials: false.
• Keeps the workflow dormant behind repository variable CODEQL_ADVANCED_SETUP_ENABLED=true while default setup is still enabled.
• Documents the activation sequence in .github/workflows/README.md.

Required activation after merge

GitHub rejects advanced CodeQL uploads while CodeQL default setup is enabled, so this workflow is intentionally feature-gated for the bootstrap PR.

1. Merge this PR with CODEQL_ADVANCED_SETUP_ENABLED unset or false, leaving default setup as the active scanner.
2. Disable CodeQL default setup.
3. Set repository variable CODEQL_ADVANCED_SETUP_ENABLED=true.
4. Trigger a new push, pull request update, or manual CodeQL workflow dispatch.
5. Verify the advanced workflow uploads CodeQL results successfully.
6. Roll back by setting CODEQL_ADVANCED_SETUP_ENABLED=false and re-enabling default setup.

Validation

• actionlint .github/workflows/codeql.yml
• git diff --check origin/main...HEAD -- .github/workflows/README.md .github/workflows/codeql.yml
• make lint

Summary by CodeRabbit

• Chores

  • Added an opt-in advanced CodeQL security scan with reduced permissions, concurrency cancellation for outdated runs, and language-aware analysis; runs on pushes, pull requests (including from forks), manual triggers, and a weekly schedule.

• Documentation

  • Added guidance covering the advanced scan configuration, activation/rollback sequence, scheduling, and per-language build requirements.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 2b6531c4-ecd9-41ce-b16f-66d450c90e28

📥 Commits

Reviewing files that changed from the base of the PR and between 84ce560 and 0f2cc53.

📒 Files selected for processing (1)

• .github/workflows/codeql.yml

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/codeql.yml

---

📝 Walkthrough

Walkthrough

Adds an advanced CodeQL GitHub Actions workflow plus README docs. The workflow is gated by repository variable CODEQL_ADVANCED_SETUP_ENABLED, triggers on push/PR/workflow_dispatch/weekly cron, runs a language matrix (Go uses autobuild, others use none), and initializes/analyzes with pinned CodeQL actions.

Changes

CodeQL Security Scanning

Layer / File(s)	Summary
Workflow triggers and concurrency .github/workflows/codeql.yml	Defines workflow metadata and triggers (push, pull_request to main, workflow_dispatch, weekly cron) and concurrency settings to cancel prior runs for updated PRs.
Analyze job matrix and enabling gate .github/workflows/codeql.yml	Adds an analyze job gated by vars.CODEQL_ADVANCED_SETUP_ENABLED with minimal permissions, a language matrix (actions, c-cpp, go, javascript-typescript, python, rust), fail-fast: false, and per-language build-mode (autobuild for Go, none for others).
Checkout, init, and run CodeQL steps .github/workflows/codeql.yml	Job steps checkout the repo (no persisted credentials), run pinned github/codeql-action/init with matrix-driven language/build-mode, and execute pinned github/codeql-action/analyze with a category set per language.
CodeQL workflow documentation and activation sequence .github/workflows/README.md	Adds README section explaining advanced setup for fork PR analysis, supported triggers, the language/build-mode choices, the CODEQL_ADVANCED_SETUP_ENABLED bootstrap guard, and activation/rollback steps.

sequenceDiagram
  participant GitHub as GitHub Actions
  participant Runner as Actions Runner
  participant Checkout as actions/checkout@v3
  participant Init as github/codeql-action/init@v4
  participant Analyze as github/codeql-action/analyze@v4

  GitHub->>Runner: trigger (push|pull_request|workflow_dispatch|cron)
  Runner->>Checkout: checkout repository
  Runner->>Init: init CodeQL (matrix.language, build-mode)
  Init->>Analyze: provide CodeQL DB/config
  Runner->>Analyze: run analysis (category=/language:${matrix.language})
  Analyze->>GitHub: upload analysis results

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 I nibbled YAML under moonlit beams,
Tucked CodeQL checks into CI dreams,
Guarded forks with a tiny key,
Scanning Go, Python, Rust and JS with glee,
The hopping coder hums at ease.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'ci(codeql): switch to advanced setup so fork PRs are scanned' directly and clearly describes the main objective of the changeset: implementing an advanced CodeQL setup that enables scanning of fork pull requests.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ci/codeql-advanced-setup

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (2)

.github/workflows/codeql.yml (2)

48-49: ⚡ Quick win

Consider setting persist-credentials: false for defense in depth.

The checkout step does not disable credential persistence. While the risk is minimal in this workflow (no custom run: steps that could misuse credentials), setting persist-credentials: false is a security best practice.

🔒 Proposed fix to disable credential persistence

       - name: Checkout
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/codeql.yml around lines 48 - 49, The Checkout step using
actions/checkout@v4 currently leaves credential persistence enabled; update the
checkout step (the step named "Checkout" that uses actions/checkout@v4) to
explicitly set persist-credentials: false to prevent the action from leaving
GITHUB_TOKEN credentials available to later steps for defense in depth.

Source: Linters/SAST tools

---

49-49: Pin CodeQL workflow actions to commit SHAs for supply-chain hardening

.github/workflows/codeql.yml currently uses tag-based actions:

• actions/checkout@v4 → actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
• github/codeql-action/init@v3 → github/codeql-action/init@b0c4fd77f6c559021d78430ec4d0d169ae74a4eb
• github/codeql-action/analyze@v3 → github/codeql-action/analyze@b0c4fd77f6c559021d78430ec4d0d169ae74a4eb

No repo policy requiring SHA pinning for GitHub Actions was found; this is a security best practice rather than a hard requirement.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/codeql.yml at line 49, Update the CodeQL workflow to pin
the GitHub Actions to specific commit SHAs instead of tags: replace uses:
actions/checkout@v4 with uses:
actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5, replace
github/codeql-action/init@v3 with
github/codeql-action/init@b0c4fd77f6c559021d78430ec4d0d169ae74a4eb, and replace
github/codeql-action/analyze@v3 with
github/codeql-action/analyze@b0c4fd77f6c559021d78430ec4d0d169ae74a4eb so the
CodeQL workflow uses commit-pinned actions for supply-chain hardening.

Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In @.github/workflows/codeql.yml:
- Around line 48-49: The Checkout step using actions/checkout@v4 currently
leaves credential persistence enabled; update the checkout step (the step named
"Checkout" that uses actions/checkout@v4) to explicitly set persist-credentials:
false to prevent the action from leaving GITHUB_TOKEN credentials available to
later steps for defense in depth.
- Line 49: Update the CodeQL workflow to pin the GitHub Actions to specific
commit SHAs instead of tags: replace uses: actions/checkout@v4 with uses:
actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5, replace
github/codeql-action/init@v3 with
github/codeql-action/init@b0c4fd77f6c559021d78430ec4d0d169ae74a4eb, and replace
github/codeql-action/analyze@v3 with
github/codeql-action/analyze@b0c4fd77f6c559021d78430ec4d0d169ae74a4eb so the
CodeQL workflow uses commit-pinned actions for supply-chain hardening.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 19513104-99fc-44a6-8450-c2df9fd6f243

📥 Commits

Reviewing files that changed from the base of the PR and between 0b0ba91 and ee5a0cd.

📒 Files selected for processing (2)

• .github/workflows/README.md
• .github/workflows/codeql.yml

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/codeql.yml:
- Around line 62-64: Replace the floating tag "uses: actions/checkout@v6" with a
pinned commit SHA for supply-chain security: locate the workflow step that
references actions/checkout@v6 and change it to the specific full revision (the
actions/checkout repository commit SHA) instead of the version tag, ensuring the
workflow still sets with: persist-credentials: false; commit the updated
workflow so the action is locked to the exact commit rather than a moving tag.
- Around line 67-70: Replace the floating major tag usage with an immutable
commit SHA: change uses: github/codeql-action/init@v4 to uses:
github/codeql-action/init@<commit-sha> where <commit-sha> is the specific commit
from the v4 release branch you want to pin, and do the same for uses:
github/codeql-action/analyze@v4 (replace with uses:
github/codeql-action/analyze@<same-commit-sha>); ensure both init and analyze
reference the exact commit SHA taken from the v4 line so you keep the v4
codebase while pinning to an immutable SHA.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 2e985e7c-c814-45d0-8167-48f5ac19acd1

📥 Commits

Reviewing files that changed from the base of the PR and between cd32d8f and 84ce560.

📒 Files selected for processing (2)

• .github/workflows/README.md
• .github/workflows/codeql.yml

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/README.md