Skip to content

fix(security): finalize CodeQL enforcement — swift audit job, gate parity, Code Quality decision (#3285)#3452

Merged
BunsDev merged 1 commit into
mainfrom
fix/3285-codeql-finalize
Jul 18, 2026
Merged

fix(security): finalize CodeQL enforcement — swift audit job, gate parity, Code Quality decision (#3285)#3452
BunsDev merged 1 commit into
mainfrom
fix/3285-codeql-finalize

Conversation

@BunsDev

@BunsDev BunsDev commented Jul 18, 2026

Copy link
Copy Markdown
Member

Finalizes CodeQL enforcement for #3285 — the last three open workstreams: swift coverage, an unsatisfiable merge gate, and the Code Quality GA decision.

The gate was silently broken for everyone but admins

Since #3436 removed the swift leg from PR CI, the ruleset's code_scanning rule kept expecting a swift result on every PR (the expected category set derives from analyses uploaded to main, where stale swift analyses remained). Every rule-suite evaluation since then failed with "Code scanning is still expecting 1 result from CodeQL" even after all four language analyses completed — e.g. PR #3448: all 4 SARIFs uploaded by 20:12Z, merge at 20:21Z still expected 1. Zero pass results in 15+ post-#3436 evaluations vs routine passes before; every merge landed via admin bypass. Non-admins could not merge at all.

Unblock (admin, already applied): deleted the 30 stale swift analyses from refs/heads/main (documented flow for removed configurations; both swift alerts were already fixed, snapshot retained). The expected set now matches the four active categories.

Changes

  • codeql.yml — swift returns as an audit job. Analyze (swift audit) runs on schedule (weekly) + workflow_dispatch on macos-15, builds the xcodegen-generated iOS project, and analyzes swift with upload: never hard-coded — findings go to the step summary + a 30-day SARIF artifact. Real swift scanning at 1 macOS run/week ($10/mo) instead of per-PR (~$1,695 gross in July), with zero gate poisoning. The gate-parity invariant is documented at both the matrix and the audit job: never upload a category from main-only runs that PRs don't produce.
  • docs/codeql.md — runbook → current-state docs. Activation steps are done; the doc now covers the gated 4-language matrix, the swift audit job, ruleset 19123333 semantics, the parity invariant, gate verification via the rule-suites API, and rollback.
  • quote-slide.py — real bug found by Code Quality. p.text = """ (unterminated triple-quote) swallowed the rest of the carousel template; now p.text = "\u201C" per the sibling template. py_compile passes. This was finding #4623, the only error-severity Code Quality finding.

Code Quality: disabled before GA (2026-07-20)

Per the issue's decision rule ("disable before general availability unless the organization explicitly approves" — no approval on record): findings snapshotted (85), the one real error fixed here, then PATCH /code-quality/setup state=not-configured (verified; AI findings disabled too).

Verification

  • python3 -m py_compile on the fixed template: OK
  • Workflow YAML parses; swift-audit if/upload: never/output verified
  • This PR is itself the live gate test: with the stale swift analyses purged, the gate should go green here without admin bypass once the four analyses upload — watch the merge box.

Closes #3285

…arity

Finalizes CodeQL enforcement for issue #3285.

- codeql.yml: add out-of-band `Analyze (swift audit)` job — weekly schedule +
  workflow_dispatch on macos-15, builds the xcodegen-generated iOS project and
  analyzes swift with `upload: never` hard-coded, publishing findings to the
  step summary and a 30-day SARIF artifact. Swift left the PR matrix in #3436
  (macOS budget); its stale analyses on main kept swift in the merge gate's
  expected category set, making the code_scanning rule permanently
  unsatisfiable ("still expecting 1 result from CodeQL") so every merge
  required admin bypass. Audit mode restores real swift scanning at ~1 macOS
  run/week without re-poisoning the gate.
- codeql.yml: document the gate-parity invariant (never upload a category from
  main-only runs that PRs don't produce) at the matrix and the audit job.
- docs/codeql.md: rewrite the activation runbook as current-state docs — gated
  four-language matrix, swift audit job, ruleset 19123333 semantics, parity
  invariant, gate verification via rule-suites, and rollback.
- quote-slide.py: fix unterminated triple-quote (`p.text = """`) that
  swallowed half the carousel template — now `p.text = "\u201C"` matching the
  sibling cookbook template. Found by Code Quality (finding #4623, the only
  error-severity finding); py_compile now passes.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings July 18, 2026 21:37

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Finalizes CodeQL enforcement by restoring Swift coverage as an audit-only job (without poisoning the merge gate), documenting the new gate-parity invariant/runbook, and fixing a Python syntax bug surfaced by Code Quality.

Changes:

  • Add a macOS-only Analyze (swift audit) CodeQL job that runs on schedule/dispatch and never uploads to code scanning (artifact + step summary instead).
  • Update docs/codeql.md to reflect current enforcement state, the ruleset semantics, and the gate-parity invariant/rollback.
  • Fix an unterminated triple-quote in the PPTX quote-slide template (quote-slide.py) so it compiles.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.

File Description
.github/workflows/codeql.yml Adds a Swift audit job (no upload) and documents why Swift is excluded from the gated matrix.
docs/codeql.md Updates documentation to current-state enforcement + explains gate-parity invariant and verification/rollback steps.
marketplace/plugins/pptx-generator/skills/pptx-generator/cookbook/carousels/quote-slide.py Fixes a Python syntax error by replacing an unintended unterminated triple-quote assignment.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@BunsDev
BunsDev merged commit 1c1604b into main Jul 18, 2026
16 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Harden CodeQL enforcement and native coverage

2 participants