fix(security): finalize CodeQL enforcement — swift audit job, gate parity, Code Quality decision (#3285)#3452
Merged
Merged
Conversation
…arity Finalizes CodeQL enforcement for issue #3285. - codeql.yml: add out-of-band `Analyze (swift audit)` job — weekly schedule + workflow_dispatch on macos-15, builds the xcodegen-generated iOS project and analyzes swift with `upload: never` hard-coded, publishing findings to the step summary and a 30-day SARIF artifact. Swift left the PR matrix in #3436 (macOS budget); its stale analyses on main kept swift in the merge gate's expected category set, making the code_scanning rule permanently unsatisfiable ("still expecting 1 result from CodeQL") so every merge required admin bypass. Audit mode restores real swift scanning at ~1 macOS run/week without re-poisoning the gate. - codeql.yml: document the gate-parity invariant (never upload a category from main-only runs that PRs don't produce) at the matrix and the audit job. - docs/codeql.md: rewrite the activation runbook as current-state docs — gated four-language matrix, swift audit job, ruleset 19123333 semantics, parity invariant, gate verification via rule-suites, and rollback. - quote-slide.py: fix unterminated triple-quote (`p.text = """`) that swallowed half the carousel template — now `p.text = "\u201C"` matching the sibling cookbook template. Found by Code Quality (finding #4623, the only error-severity finding); py_compile now passes. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Contributor
There was a problem hiding this comment.
Pull request overview
Finalizes CodeQL enforcement by restoring Swift coverage as an audit-only job (without poisoning the merge gate), documenting the new gate-parity invariant/runbook, and fixing a Python syntax bug surfaced by Code Quality.
Changes:
- Add a macOS-only
Analyze (swift audit)CodeQL job that runs on schedule/dispatch and never uploads to code scanning (artifact + step summary instead). - Update
docs/codeql.mdto reflect current enforcement state, the ruleset semantics, and the gate-parity invariant/rollback. - Fix an unterminated triple-quote in the PPTX quote-slide template (
quote-slide.py) so it compiles.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
.github/workflows/codeql.yml |
Adds a Swift audit job (no upload) and documents why Swift is excluded from the gated matrix. |
docs/codeql.md |
Updates documentation to current-state enforcement + explains gate-parity invariant and verification/rollback steps. |
marketplace/plugins/pptx-generator/skills/pptx-generator/cookbook/carousels/quote-slide.py |
Fixes a Python syntax error by replacing an unintended unterminated triple-quote assignment. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
18 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Finalizes CodeQL enforcement for #3285 — the last three open workstreams: swift coverage, an unsatisfiable merge gate, and the Code Quality GA decision.
The gate was silently broken for everyone but admins
Since #3436 removed the swift leg from PR CI, the ruleset's
code_scanningrule kept expecting a swift result on every PR (the expected category set derives from analyses uploaded tomain, where stale swift analyses remained). Every rule-suite evaluation since then failed with "Code scanning is still expecting 1 result from CodeQL" even after all four language analyses completed — e.g. PR #3448: all 4 SARIFs uploaded by 20:12Z, merge at 20:21Z still expected 1. Zeropassresults in 15+ post-#3436 evaluations vs routine passes before; every merge landed via adminbypass. Non-admins could not merge at all.Unblock (admin, already applied): deleted the 30 stale swift analyses from
refs/heads/main(documented flow for removed configurations; both swift alerts were alreadyfixed, snapshot retained). The expected set now matches the four active categories.Changes
codeql.yml— swift returns as an audit job.Analyze (swift audit)runs onschedule(weekly) +workflow_dispatchonmacos-15, builds the xcodegen-generated iOS project, and analyzes swift withupload: neverhard-coded — findings go to the step summary + a 30-day SARIF artifact. Real swift scanning at1 macOS run/week ($10/mo) instead of per-PR (~$1,695 gross in July), with zero gate poisoning. The gate-parity invariant is documented at both the matrix and the audit job: never upload a category from main-only runs that PRs don't produce.docs/codeql.md— runbook → current-state docs. Activation steps are done; the doc now covers the gated 4-language matrix, the swift audit job, ruleset 19123333 semantics, the parity invariant, gate verification via the rule-suites API, and rollback.quote-slide.py— real bug found by Code Quality.p.text = """(unterminated triple-quote) swallowed the rest of the carousel template; nowp.text = "\u201C"per the sibling template.py_compilepasses. This was finding #4623, the only error-severity Code Quality finding.Code Quality: disabled before GA (2026-07-20)
Per the issue's decision rule ("disable before general availability unless the organization explicitly approves" — no approval on record): findings snapshotted (85), the one real error fixed here, then
PATCH /code-quality/setup state=not-configured(verified; AI findings disabled too).Verification
python3 -m py_compileon the fixed template: OKif/upload: never/outputverifiedCloses #3285