Skip to content

Migrate CodeQL to advanced setup #23

Open
Open
Migrate CodeQL to advanced setup#23
Labels
ciCI/InfrastructureenhancementNew feature or requestpriority: P1Current milestone worksize: SQuick win — a few hours or less
@zeevdr

Description

@zeevdr
zeevdr
opened on Apr 27, 2026

Description

Follow-up to opendecree/decree#183. Migrate from default-setup to advanced-setup so we can paths-ignore generated proto stubs and pin the CodeQL workflow to repo conventions.

Reference: opendecree/decree#190 (advanced workflow for the core repo).

Acceptance criteria

  • Disable default-setup: gh api -X PATCH repos/opendecree/decree-python/code-scanning/default-setup -f state=not-configured
  • Add .github/workflows/codeql.yml with Analyze jobs for actions and python
  • Add paths-ignore for generated code: sdk/src/opendecree/_generated/**
  • Match default-setup's default query suite + remote threat model for findings parity
  • Verify advanced-setup flags equivalent findings vs default-setup on the same commit

Notes

Languages currently scanned by default-setup: actions, python. No Go autobuild in this repo, so duration impact will be smaller than decree#183 (~5m 36s on Go).

Metadata

Metadata

Assignees

No one assigned

    Labels

    ciCI/InfrastructureenhancementNew feature or requestpriority: P1Current milestone worksize: SQuick win — a few hours or less

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions