Skip to content

ci: add CodeQL scanning#10

Merged
saagpatel merged 1 commit into
mainfrom
codex/add-codeql-scanning
May 18, 2026
Merged

ci: add CodeQL scanning#10
saagpatel merged 1 commit into
mainfrom
codex/add-codeql-scanning

Conversation

@saagpatel

Copy link
Copy Markdown
Owner

What

  • Adds a Python CodeQL code-scanning workflow for pull requests, pushes to main, and weekly scheduled scans.
  • Documents the new public code-scanning coverage in workflow and security docs.
  • Adds a policy test so the CodeQL workflow and docs remain present.

Why

  • The repository is now public, so it should have a visible, durable code-scanning trust signal alongside CI, Dependabot, branch protection, and PyPI Trusted Publishing.

How

  • Uses github/codeql-action/init@v4 and github/codeql-action/analyze@v4 with security-events: write and read-only repository permissions.
  • Runs the Python analysis with security-extended and security-and-quality query suites.

Testing

  • ruff check src/ tests/
  • python3 -m pytest tests/test_distribution_policy.py -q -p no:cacheprovider
  • python3 -m pytest -q -p no:cacheprovider
  • Parsed all workflow YAML files with PyYAML.

Performance Impact

  • Adds one CodeQL Actions job on PRs, pushes to main, and a weekly scheduled scan.

Risk / Notes

  • Code scanning will only show repository analysis after the workflow completes successfully on GitHub.

- add a Python CodeQL workflow for pull requests, main pushes, and weekly scans
- document public code-scanning coverage in workflow and security docs
- guard the workflow with distribution policy tests

Tests: ruff check src/ tests/; python3 -m pytest tests/test_distribution_policy.py -q -p no:cacheprovider; python3 -m pytest -q -p no:cacheprovider
@github-advanced-security

Copy link
Copy Markdown
Contributor

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

@saagpatel
saagpatel merged commit 13ce464 into main May 18, 2026
3 checks passed
@saagpatel
saagpatel deleted the codex/add-codeql-scanning branch June 12, 2026 12:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants