Add CodeQL analysis workflow configuration

[chrismaz11]

Summary

• Describe the change

AI Disclosure (optional)

• AI-assisted changes are included in this PR

Review Checklist

• Human review requested
• Tests added or updated where appropriate
• No secrets, tokens, cookies, or raw PII were added to code, logs, fixtures, or docs
• Security impact and remaining risks are described

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
trustsignal	Ready	Preview, Comment	Apr 6, 2026 3:36am

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: ee443e275d

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Trigger CodeQL on active default branch

This workflow only listens on master, but the repository currently has no master branch, so CodeQL will not run for normal push/pull_request activity and findings are deferred to the weekly cron run. That leaves a large gap where insecure changes can merge without code scanning; point these branch filters at the real default branch (or remove the filter) to restore per-PR/per-push coverage.

Useful? React with 👍 / 👎.

[Copilot]

Pull request overview

Adds a GitHub Actions workflow to run GitHub CodeQL “Advanced” code scanning on this repository, enabling automated security analysis on pushes, PRs, and a scheduled cadence.

Changes:

• Introduces a new .github/workflows/codeql.yml workflow for CodeQL scanning.
• Configures CodeQL to run as a matrix across multiple languages and upload SARIF results to GitHub Code Scanning.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The strategy.matrix.include list is not indented under include: (list items are at the same indentation level). This makes the workflow YAML invalid and the job will fail to load. Indent the - language: entries under include:.

Suggested change

	- language: actions
	build-mode: none
	- language: javascript-typescript
	build-mode: none
	- language: python
	build-mode: none
	- language: rust
	build-mode: none
	- language: swift
	build-mode: autobuild
	- language: actions
	build-mode: none
	- language: javascript-typescript
	build-mode: none
	- language: python
	build-mode: none
	- language: rust
	build-mode: none
	- language: swift
	build-mode: autobuild

[Copilot]

steps: is followed by step entries (- name:) at the same indentation level. In GitHub Actions YAML, the list items must be indented under steps:; otherwise the workflow will be invalid.

[Copilot]

The workflow matrix includes Swift and conditionally switches to a macOS runner for it, but there doesn’t appear to be any Swift code in this repo. Keeping Swift here adds a macOS job (cost/time) and potential failures; consider removing Swift from the matrix and simplifying runs-on accordingly.

[Copilot]

Other workflows in this repo use actions/checkout@v6; this workflow uses actions/checkout@v4. For consistency (and to stay current with the rest of the repo’s CI), consider updating to the same major version used elsewhere.

Suggested change

	uses: actions/checkout@v4
	uses: actions/checkout@v6