Skip to content

ci: restore CodeQL + Semgrep SARIF upload (repo public again)#69

Merged
goetchstone merged 2 commits into
mainfrom
ci/restore-codeql-public
Jun 17, 2026
Merged

ci: restore CodeQL + Semgrep SARIF upload (repo public again)#69
goetchstone merged 2 commits into
mainfrom
ci/restore-codeql-public

Conversation

@goetchstone

Copy link
Copy Markdown
Owner

Repo is public again, so code scanning is free. Restores what we dropped while briefly private:

  • codeql.yml restored (dataflow/taint analysis + Security-tab upload)
  • semgrep.yml re-enables SARIF upload, keeping the actions: read fix so it no longer 403s
  • CLAUDE.md: removed the now-stale private-repo CI Known Issue

The gitleaks pull-requests: read fix from #66 stays. Full free security stack restored: gitleaks + CodeQL + Semgrep + npm audit + tsc/vitest.

Public repos get GitHub code scanning free, so re-enable what we
dropped while briefly private:
- codeql.yml restored (dataflow/taint analysis + Security-tab upload)
- semgrep.yml re-adds SARIF upload (keeps the actions:read fix so it
  no longer 403s)
- CLAUDE.md: drop the now-stale private-repo CI Known Issue

gitleaks pull-requests:read fix from #66 stays. Full free stack back:
gitleaks + CodeQL + Semgrep + npm audit + tsc/vitest.
hono <=4.12.24 had high-severity path-traversal/CORS/body-limit CVEs
(GHSA-wwfh-h76j-fc44 et al.), pulled in transitively through
shadcn -> @modelcontextprotocol/sdk -> hono. Bumped to 4.12.25.
Lockfile-only; clears the Dependency audit gate. tsc + tests pass.
@goetchstone goetchstone merged commit 580996e into main Jun 17, 2026
8 checks passed
@goetchstone goetchstone deleted the ci/restore-codeql-public branch June 17, 2026 10:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants