Skip to content

[AAASM-3433] 🔧 (ci): run CodeQL on push to master (default-branch coverage)#163

Merged
Chisanan232 merged 1 commit into
masterfrom
v0.0.1/AAASM-3433/config/codeql_master_coverage
Jun 19, 2026
Merged

[AAASM-3433] 🔧 (ci): run CodeQL on push to master (default-branch coverage)#163
Chisanan232 merged 1 commit into
masterfrom
v0.0.1/AAASM-3433/config/codeql_master_coverage

Conversation

@Chisanan232

@Chisanan232 Chisanan232 commented Jun 19, 2026

Copy link
Copy Markdown
Contributor

Target

CodeQL security analysis was never recorded on node-sdk's default branch. gh api repos/ai-agent-assembly/node-sdk/code-scanning/analyses returns 404 "no analysis found" — the code-scanning (security) dashboard is empty and there is no scheduled scan.

Investigation showed the repo's only CodeQL runs come from GitHub's dynamic default setup in code-quality mode — they upload javascript.quality.sarif ("Uploading code quality results"), which lands in the code-quality feed, not the security code-scanning/analyses feed. Hence 0 security analyses despite green CodeQL runs.

  • Task summary:

    Add a committed .github/workflows/codeql.yml (mirroring go-sdk's) that runs the security CodeQL analysis for javascript-typescript and uploads SARIF to the code-scanning feed on push to master and on a weekly schedule, while keeping PR runs.

  • Task tickets:

    • Task ID: AAASM-3433.
    • Relative task IDs:
      • N/A.
    • Relative PRs:
      • N/A.

  • Key point change (optional):

    Triggers pull_request + push: branches:[master] + schedule: cron "0 3 * * 1"; permissions.security-events: write for SARIF upload. Language javascript-typescript, build-mode: none (no autobuild needed for JS/TS), submodules: recursive for parity with go-sdk.

Effecting Scope

  • Action Types:
    • ✨ Adding new something
      • 🟢 No breaking change
    • 🍀 Improving something (performance, code quality, security, etc.)
  • Scopes:
    • 🚀 Building
      • 🤖 CI/CD
  • Additional description:
    CI-config only. No source, dependency, or runtime change. Adds one new workflow file; touches no existing job.

Description

  • Add .github/workflows/codeql.yml: security CodeQL Analyze (javascript-typescript) on PR, push to master, and weekly schedule, validated with actionlint (clean).

How to verify: After merge, push to master triggers the CodeQL workflow; gh api repos/ai-agent-assembly/node-sdk/code-scanning/analyses should then return a recorded analysis on refs/heads/master.

Closes AAASM-3433

🤖 Generated with Claude Code

@Chisanan232 @claude
🔧 (ci): run CodeQL on push to master (default-branch coverage)
2d30967 
node-sdk had no committed CodeQL workflow; the existing dynamic
"Code Quality" runs upload only code-quality SARIF, leaving the
security code-scanning feed empty (0 analyses on master). Add a
codeql.yml mirroring go-sdk: pull_request + push:[master] +
weekly schedule, with security-events: write for SARIF upload.

Refs AAASM-3433

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@codecov

codecov Bot commented Jun 19, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

@github-advanced-security

github-advanced-security AI commented Jun 19, 2026

Copy link
Copy Markdown

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

@sonarqubecloud

sonarqubecloud Bot commented Jun 19, 2026

Copy link
Copy Markdown

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@Chisanan232

Chisanan232 commented Jun 19, 2026

Copy link
Copy Markdown
Contributor Author

🟢 Review result — Claude Code (AAASM-3433)

Verdict: APPROVED — ready for approval & merge.

1. CI status — all green

Analyze (javascript-typescript) ✅ · CodeQL ✅ · SonarCloud ✅ · codecov/patch ✅ · coverage-and-analysis ✅ · napi-build (20 + 22) ✅ · module-smoke (18/20/22) ✅ · quality ✅ · tests (18/20/22/24) ✅. No failures. (BLOCKED = required Pioneer approval.)

2. Scope vs ticket (AAASM-3433)

  • ✅ Root cause (deeper than the ticket assumed): node-sdk's green Analyze runs were GitHub's quality-mode default setup (*.quality.sarif → code-quality feed), so the security code-scanning/analyses feed was empty (404). Fix = new committed security codeql.yml.
  • ✅ Triggers: push: branches:[master] + weekly schedule + pull_request; security-events: write; javascript-typescript, build-mode: none, submodules: recursive; pinned SHAs; mirrors go-sdk.
  • actionlint clean across all workflows; CI-config only.

Post-merge: I'll confirm the security analysis records on master. Ready to merge.

@Chisanan232 Chisanan232 merged commit cacbf32 into master Jun 19, 2026
16 checks passed
@Chisanan232 Chisanan232 deleted the v0.0.1/AAASM-3433/config/codeql_master_coverage branch June 19, 2026 05:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Chisanan232 @github-advanced-security