From 7ed3c3bc3e2b3a2f6cf9c6b76dbd2cec9f0937b6 Mon Sep 17 00:00:00 2001
From: Yasunobu <42543015+P4suta@users.noreply.github.com>
Date: Wed, 17 Jun 2026 13:19:06 +0900
Subject: [PATCH] ci(security): add CodeQL static analysis (rust, build-mode
 none)

Completes CodeQL parity across the ecosystem (aozora-proof already had it;
aozora #97 and aozora-tools #24 add it too). PR + push + weekly schedule,
scanning Rust with build-mode none. Actions SHA-pinned per this repo's
convention; Dependabot keeps them fresh.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---
 .github/workflows/codeql.yml | 32 ++++++++++++++++++++++++++++++++
 1 file changed, 32 insertions(+)
 create mode 100644 .github/workflows/codeql.yml

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
new file mode 100644
index 0000000..7fb5970
--- /dev/null
+++ b/.github/workflows/codeql.yml
@@ -0,0 +1,32 @@
+name: codeql
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  schedule:
+    - cron: "23 4 * * 1" # weekly, Monday 04:23 UTC
+
+permissions:
+  security-events: write
+  contents: read
+  actions: read
+
+concurrency:
+  group: codeql-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  codeql:
+    name: codeql
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+      - uses: github/codeql-action/init@dd903d2e4f5405488e5ef1422510ee31c8b32357  # v3
+        with:
+          languages: rust
+          build-mode: none
+      - uses: github/codeql-action/analyze@dd903d2e4f5405488e5ef1422510ee31c8b32357  # v3
+        with:
+          category: "/language:rust"