chore: add CodeQL workflow and badge#154
Conversation
There was a problem hiding this comment.
Pull request overview
Adds GitHub CodeQL scanning to the repository and surfaces its status via a README badge, as part of cross-repo community files harmonization.
Changes:
- Added a new
.github/workflows/codeql.ymlworkflow to run CodeQL on pushes/PRs tomainand on a weekly schedule. - Added a CodeQL workflow status badge to
README.md.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| README.md | Adds a CodeQL workflow status badge alongside existing CI/release/coverage badges. |
| .github/workflows/codeql.yml | Introduces a CodeQL workflow to upload code scanning results on a schedule and on main push/PR events. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| name: Analyze | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| security-events: write |
There was a problem hiding this comment.
The job-level permissions block only grants security-events: write; all other scopes (including contents) become none. That can prevent actions/checkout from reading the repository and cause the workflow to fail. Add at least contents: read (and ideally also actions: read per CodeQL guidance) alongside security-events: write.
| security-events: write | |
| security-events: write | |
| actions: read | |
| contents: read |
| languages: actions | ||
| - uses: github/codeql-action/analyze@v3 | ||
| with: | ||
| category: /language:actions |
There was a problem hiding this comment.
This repository contains JavaScript code (e.g., npm/bin/ferrflow.js), but the CodeQL init is configured to scan only actions. Consider adding javascript-typescript to languages so CodeQL covers the Node wrapper as well. If you add more languages, update/remove the hard-coded category: /language:actions to avoid mislabeling results.
| languages: actions | |
| - uses: github/codeql-action/analyze@v3 | |
| with: | |
| category: /language:actions | |
| languages: actions, javascript-typescript | |
| - uses: github/codeql-action/analyze@v3 |
| permissions: | ||
| security-events: write | ||
| steps: | ||
| - uses: actions/checkout@v4 |
There was a problem hiding this comment.
Action versions are inconsistent with the rest of the repo: other workflows use actions/checkout@v6 (e.g., .github/workflows/ci.yml:20 and .github/workflows/release.yml:49), but this workflow uses @v4. Aligning versions across workflows reduces maintenance and avoids subtle behavior differences.
| - uses: actions/checkout@v4 | |
| - uses: actions/checkout@v6 |
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
Default setup already covers actions, javascript-typescript, and rust.
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
Benchmark
Details
| Benchmark suite | Current: bad8452 | Previous: 894b95d | Ratio |
|---|---|---|---|
commit_parsing/100 |
17076 ns/iter (± 65) |
17296 ns/iter (± 31) |
0.99 |
commit_parsing/1000 |
174765 ns/iter (± 856) |
174252 ns/iter (± 1969) |
1.00 |
commit_parsing/10000 |
1800620 ns/iter (± 44085) |
1810036 ns/iter (± 14531) |
0.99 |
changelog/build_50 |
8361 ns/iter (± 162) |
7861 ns/iter (± 29) |
1.06 |
changelog/build_500 |
72932 ns/iter (± 237) |
66462 ns/iter (± 177) |
1.10 |
version_files/toml_read |
8514 ns/iter (± 273) |
8354 ns/iter (± 51) |
1.02 |
version_files/toml_write |
181946 ns/iter (± 24222) |
128906 ns/iter (± 12238) |
1.41 |
version_files/json_read |
5322 ns/iter (± 46) |
5345 ns/iter (± 63) |
1.00 |
version_files/json_write |
161969 ns/iter (± 23609) |
128684 ns/iter (± 9855) |
1.26 |
version_files/xml_read |
5122 ns/iter (± 47) |
5134 ns/iter (± 18) |
1.00 |
version_files/xml_write |
165330 ns/iter (± 25849) |
145455 ns/iter (± 20942) |
1.14 |
version_files/gradle_read |
4982 ns/iter (± 45) |
5050 ns/iter (± 37) |
0.99 |
version_files/gradle_write |
200446 ns/iter (± 42318) |
125450 ns/iter (± 11643) |
1.60 |
config_loading/single |
10313 ns/iter (± 68) |
10393 ns/iter (± 167) |
0.99 |
config_loading/mono_10 |
15234 ns/iter (± 99) |
15610 ns/iter (± 126) |
0.98 |
config_loading/mono_50 |
39675 ns/iter (± 847) |
41541 ns/iter (± 340) |
0.96 |
This comment was automatically generated by workflow using github-action-benchmark.
There was a problem hiding this comment.
⚠️ Performance Alert ⚠️
Possible performance regression was detected for benchmark.
Benchmark result of this commit is worse than the previous benchmark result exceeding threshold 1.20.
| Benchmark suite | Current: bad8452 | Previous: 894b95d | Ratio |
|---|---|---|---|
version_files/toml_write |
181946 ns/iter (± 24222) |
128906 ns/iter (± 12238) |
1.41 |
version_files/json_write |
161969 ns/iter (± 23609) |
128684 ns/iter (± 9855) |
1.26 |
version_files/gradle_write |
200446 ns/iter (± 42318) |
125450 ns/iter (± 11643) |
1.60 |
This comment was automatically generated by workflow using github-action-benchmark.
* chore: add CodeQL workflow and badge * chore: remove duplicate CodeQL workflow Default setup already covers actions, javascript-typescript, and rust. * chore: remove CodeQL badge (default setup has no workflow file)
Summary
Part of cross-repo community files harmonization.