ci(codeql): streamline workflow configuration and enhance security analysis#276
ci(codeql): streamline workflow configuration and enhance security analysis#276marcusrbrown merged 2 commits intomainfrom
Conversation
marcusrbrown
commented
Feb 28, 2026
marcusrbrown
commented
- Remove renovate branch pattern from push trigger, focus on main branch only
- Extend PR trigger types to include reopened and ready_for_review events
- Add workflow_dispatch trigger for manual CodeQL runs
- Remove env.language variable and hardcode javascript configuration
- Add explicit actions:read permission to job
- Enable security-and-quality queries for enhanced code scanning
- Simplify configuration by removing environment variable indirection
…alysis - Remove renovate branch pattern from push trigger, focus on main branch only - Extend PR trigger types to include reopened and ready_for_review events - Add workflow_dispatch trigger for manual CodeQL runs - Remove env.language variable and hardcode javascript configuration - Add explicit actions:read permission to job - Enable security-and-quality queries for enhanced code scanning - Simplify configuration by removing environment variable indirection
fro-bot
left a comment
fro-bot
left a comment
There was a problem hiding this comment.
The CodeQL workflow improvements look solid. A few observations:
Approved with notes — all changes are intentional and reasonable. Flagging two behavioral shifts worth being aware of.
✅ What's good
- **** — useful escape hatch for manual scans; should have been there from the start.
- ** + triggers** — covers the draft→ready transition, which the previous config missed.
- ** permission** — explicitly required by CodeQL for workflow artifact access; correct addition.
- **** — the
+prefix correctly extends rather than replaces defaults. Adds code quality checks on top of the security suite. Scan times will increase somewhat but coverage improves meaningfully. - Removing indirection — no real upside to the variable; hardcoding
javascriptis cleaner here. - Removing
renovate/**from push branches — Renovate branches are already covered by the PR trigger, so this was just redundant scanning.
⚠️ Two behavioral changes to be aware of
1. PR trigger now has filter
The original workflow ran CodeQL on all PRs regardless of target branch. After this change, only PRs targeting main get scanned. For this repo's single-track workflow that's fine, but if any PRs ever target a non-main base (e.g., a release branch, a feature integration branch), they'll silently skip CodeQL.
2. Concurrency removed (separate commit ca80b2c)
The prior config cancelled in-progress runs when a new push arrived:
concurrency:
group: ${{ github.workflow }}-${{ github.event.number || github.ref }}
cancel-in-progress: trueRemoving this means rapid-push scenarios now queue multiple CodeQL runs concurrently instead of dropping stale ones. For security scanning intentionally avoiding cancellation makes sense (you don't want a scan mid-flight to get dropped), but it does cost extra Actions minutes on active PRs. Worth monitoring if minute usage becomes a concern.
Both of these are conscious trade-offs rather than bugs. The overall direction — less indirection, broader trigger coverage, stronger query suite — is the right move.
Run Summary
| Field | Value |
|---|---|
| Event | pull_request |
| Repository | fro-bot/agent |
| Run ID | 22514175624 |
| Cache | hit |
| Session | ses_35d4db3adffeevc8o26z4t5vq1 |
fro-bot
left a comment
fro-bot
left a comment
There was a problem hiding this comment.
The CodeQL workflow improvements look solid. A few observations:
Approved with notes — all changes are intentional and reasonable. Flagging two behavioral shifts worth being aware of.
✅ What's good
workflow_dispatch— useful escape hatch for manual scans; should have been there from the start.reopened+ready_for_reviewtriggers — covers the draft→ready transition, which the previous config missed.actions: readpermission — explicitly required by CodeQL for workflow artifact access; correct addition.queries: +security-and-quality— the+prefix correctly extends rather than replaces defaults. Adds code quality checks on top of the security suite. Scan times will increase somewhat but coverage improves meaningfully.- Removing
env.languageindirection — no real upside to the variable; hardcodingjavascriptis cleaner here. - **Removing
renovate/**from push branches** — Renovate branches are already covered by the PR trigger, so this was just redundant scanning.
⚠️ Two behavioral changes to be aware of
1. PR trigger now has branches: [main] filter
The original workflow ran CodeQL on all PRs regardless of target branch. After this change, only PRs targeting main get scanned. For this repo's single-track workflow that's fine, but if any PRs ever target a non-main base (e.g., a release branch, a feature integration branch), they'll silently skip CodeQL.
2. Concurrency removed (separate commit ca80b2c)
The prior config cancelled in-progress runs when a new push arrived:
concurrency:
group: ${{ github.workflow }}-${{ github.event.number || github.ref }}
cancel-in-progress: trueRemoving this means rapid-push scenarios now queue multiple CodeQL runs concurrently instead of dropping stale ones. For security scanning intentionally avoiding cancellation makes sense (you don't want a scan mid-flight to get dropped), but it does cost extra Actions minutes on active PRs. Worth monitoring if minute usage becomes a concern.
Both of these are conscious trade-offs rather than bugs. The overall direction — less indirection, broader trigger coverage, stronger query suite — is the right move.
Run Summary
| Field | Value |
|---|---|
| Event | pull_request |
| Repository | fro-bot/agent |
| Run ID | 22514175624 |
| Cache | hit |
| Session | ses_35d4db3adffeevc8o26z4t5vq1 |
2 participants
