ci: enable CodeQL security analysis

[don-petry]

Why?

GitHub Actions workflows can contain security vulnerabilities (script injection, overly permissive tokens, unsafe third-party actions). CodeQL's actions language analysis catches these automatically, reducing the risk of supply-chain attacks through CI configuration.

Summary

• Add CodeQL workflow (.github/workflows/codeql.yml) to scan GitHub Actions workflows for security issues
• Runs on push/PR to main and on a weekly schedule (Mondays at 06:00 UTC)
• Uses languages: actions to analyze workflow files; Rust support can be added as CodeQL's Rust analysis matures

Addresses item 8 in #11.

Test plan

• Verify the workflow triggers on this PR and initializes CodeQL successfully
• Confirm security-events are written to the Security tab

🤖 Generated with Claude Code

[Copilot]

Pull request overview

Adds GitHub CodeQL code scanning to improve security analysis coverage for the repository’s GitHub Actions workflows (per issue #11 item 8).

Changes:

• Introduces a new CodeQL workflow that runs on push/PR to main and on a weekly cron schedule.
• Configures CodeQL to analyze actions (GitHub Actions workflow files) and upload results to the Security tab.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

To match the YAML style used in the existing workflows (e.g., .github/workflows/ci.yml:9-11), consider using the multi-line list form for branches instead of the inline array syntax. This keeps workflow triggers consistent and easier to edit in diffs.

Suggested change

	branches: [main]
	pull_request:
	branches: [main]
	branches:
	- main
	pull_request:
	branches:
	- main

[don-petry]

Addressed in the latest push.

[don-petry]

Automated review — APPROVED

Risk: LOW
Reviewed commit: f04672ac421b45273a1dc3d48eb75d31d1d93466
Cascade: triage → deep (see triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6 for models)

Summary

PR adds a CodeQL GitHub Actions security scanning workflow that follows best practices: top-level permissions are denied by default, the job grants only the minimum required scopes (security-events: write, contents: read), and all third-party actions are pinned to verified commit SHAs. The triage escalation was due to a triage infrastructure failure (triage-output-invalid), not an actual risk signal. There are two minor style inconsistencies with existing workflows but no blockers.

Findings

Info (non-blocking)

• .github/workflows/codeql.yml:31 — The codeql-action SHA (c10b8064...) is a real commit on the releases/v4 branch but does not match any specific minor-version tag (latest is v4.35.2). The comment # v4 is imprecise; a specific version like # v4.35.1 would make the intended pin clearer and ease future Dependabot bumps.
• .github/workflows/codeql.yml:19 — New workflow uses ubuntu-latest while existing ci.yml and release.yml use ubuntu-24.04. Pinning to a specific OS version is more reproducible.
• .github/workflows/codeql.yml:27 — New workflow uses actions/checkout@v6 (SHA-pinned, correct) while existing ci.yml uses @v5 without a SHA pin. The version bump is fine but worth aligning repo-wide in a follow-up.

CI status

mergeStateStatus: BLOCKED — CI checks may still be running or a branch protection rule is pending.

Note: Approval posted as a comment because the reviewing account is the PR author (GitHub does not allow self-approval). A human reviewer can approve and merge.

---

Reviewed by the don-petry PR-review cascade (triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6). Reply with @don-petry if you need a human.