From 7627d3236da02b371554c400eccf738624399640 Mon Sep 17 00:00:00 2001
From: schmug <38227427+schmug@users.noreply.github.com>
Date: Sun, 24 May 2026 09:55:06 -0400
Subject: [PATCH] chore(ci): switch CodeQL from default to advanced setup
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Adds .github/workflows/codeql.yml plus a config file at
.github/codeql/codeql-config.yml that excludes test/** from analysis.

Motivation: the js/incomplete-url-substring-sanitization rule was firing
on test assertions like expect(v.message.includes("example.com")) — no
URL flow, no fetch, no auth boundary, just a string match on asserted
output. Four such alerts have been dismissed as false positives; the
path-ignore config prevents the pattern from re-surfacing.

Cutover requires disabling default setup in repo Settings -> Code
security before this merges, otherwise advanced setup runs will error.
Job names match the previous "Analyze (<language>)" pattern so any
status-check pinning is preserved.

Actions are SHA-pinned per repo convention; Dependabot
(github-actions ecosystem) will keep them current.
---
 .github/codeql/codeql-config.yml | 14 +++++++++++
 .github/workflows/codeql.yml     | 42 ++++++++++++++++++++++++++++++++
 2 files changed, 56 insertions(+)
 create mode 100644 .github/codeql/codeql-config.yml
 create mode 100644 .github/workflows/codeql.yml

diff --git a/.github/codeql/codeql-config.yml b/.github/codeql/codeql-config.yml
new file mode 100644
index 0000000..d471048
--- /dev/null
+++ b/.github/codeql/codeql-config.yml
@@ -0,0 +1,14 @@
+name: dmarcheck CodeQL config
+
+# Exclude test files from CodeQL analysis.
+#
+# Why: tests use String.includes() on warning-message strings as assertions
+# (e.g. expect(v.message.includes("example.com")).toBe(true)). The
+# js/incomplete-url-substring-sanitization rule fires on these as if they were
+# URL sanitization gates, but they have no URL flow, no fetch, and no auth
+# boundary — the .includes() runs on the asserted output, not user input.
+# Tests are not shipped to the Worker runtime, so the security blast radius
+# of excluding them is zero.
+paths-ignore:
+  - test/**
+  - "**/*.test.ts"
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
new file mode 100644
index 0000000..e540f9d
--- /dev/null
+++ b/.github/workflows/codeql.yml
@@ -0,0 +1,42 @@
+name: CodeQL
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  schedule:
+    # Weekly full scan, Monday 12:23 UTC. Keeps coverage for branches that
+    # aren't being actively PR'd.
+    - cron: "23 12 * * 1"
+
+permissions:
+  contents: read
+
+jobs:
+  analyze:
+    name: Analyze (${{ matrix.language }})
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      packages: read
+      actions: read
+      contents: read
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - language: actions
+            build-mode: none
+          - language: javascript-typescript
+            build-mode: none
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: github/codeql-action/init@03e4368ac7daa2bd82b3e85262f3bf87ee112f57 # v3.36.0
+        with:
+          languages: ${{ matrix.language }}
+          build-mode: ${{ matrix.build-mode }}
+          config-file: ./.github/codeql/codeql-config.yml
+      - uses: github/codeql-action/analyze@03e4368ac7daa2bd82b3e85262f3bf87ee112f57 # v3.36.0
+        with:
+          category: "/language:${{ matrix.language }}"