Skip to content

[AAASM-3434] 🔧 (ci): run CodeQL on push to master (default-branch coverage)#147

Merged
Chisanan232 merged 1 commit into
masterfrom
v0.0.1/AAASM-3434/config/codeql_master_coverage
Jun 19, 2026
Merged

[AAASM-3434] 🔧 (ci): run CodeQL on push to master (default-branch coverage)#147
Chisanan232 merged 1 commit into
masterfrom
v0.0.1/AAASM-3434/config/codeql_master_coverage

Conversation

@Chisanan232

@Chisanan232 Chisanan232 commented Jun 19, 2026

Copy link
Copy Markdown
Contributor

Description

python-sdk recorded 0 CodeQL analyses on master (gh api repos/ai-agent-assembly/python-sdk/code-scanning/analyses → HTTP 404 "no analysis found"; default-setup not-configured), leaving the code-scanning dashboard empty with no scheduled scan. There was no CodeQL workflow in the repo at all.

This PR adds .github/workflows/codeql.yml, mirroring go-sdk's codeql.yml, so CodeQL analysis + SARIF upload runs on push to master and on a weekly schedule, while keeping PR runs. Adapted for Python: languages: python with build-mode: none (no build step needed for interpreted analysis), and security-events: write so SARIF can be uploaded on the master path.

CI-config only — no source changes.

Type of Change

  • 🔧 Bug fix

Breaking Changes

  • No

Related Issues

  • Related JIRA ticket: AAASM-3434
  • Related GitHub issues: #XX

Testing

  • No tests required (explain why)

CI-config only. Validated locally with actionlint .github/workflows/codeql.yml — clean. Triggers confirmed by inspection: push.branches: [master] + schedule.cron: "0 3 * * 1" + pull_request. Post-merge AC: an analysis will record on master (gh api repos/ai-agent-assembly/python-sdk/code-scanning/analyses).

Checklist

  • Code follows project style guidelines
  • Self-review completed
  • All tests passing

🤖 Generated with Claude Code

@Chisanan232 @claude
🔧 (ci): run CodeQL on push to master (default-branch coverage)
6e0a80f 
python-sdk recorded 0 CodeQL analyses on master, leaving the
code-scanning dashboard empty with no scheduled scan. Add a CodeQL
workflow mirroring go-sdk's codeql.yml: analysis+upload on push to
master and a weekly schedule, while keeping PR runs. Uses Python
build-mode:none (no build step needed for interpreted analysis).

Refs AAASM-3434

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@github-advanced-security

github-advanced-security AI commented Jun 19, 2026

Copy link
Copy Markdown

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

@Chisanan232

Chisanan232 commented Jun 19, 2026

Copy link
Copy Markdown
Contributor Author

🟢 Review result — Claude Code (AAASM-3434)

Verdict: APPROVED — ready for approval & merge.

1. CI status — green

Analyze (python) ✅ · CodeQL aggregate ✅ · analyze ✅. No failures. (BLOCKED = required Pioneer approval, not a CI failure.)

2. Scope vs ticket (AAASM-3434)

  • ✅ Root cause corrected during impl: python-sdk had no CodeQL workflow at all (default-setup not-configured, code-scanning/analyses → 404). Fix = new committed .github/workflows/codeql.yml.
  • ✅ Triggers: push: branches:[master] + weekly schedule + pull_request; permissions: security-events: write; language python, build-mode: none; pinned action SHAs; mirrors go-sdk (Autobuild dropped — Python is interpreted).
  • actionlint clean; CI-config only, no source changes.

Post-merge: I'll confirm the security analysis records on master (gh api repos/ai-agent-assembly/python-sdk/code-scanning/analyses). Ready to merge.

@Chisanan232 Chisanan232 merged commit e91d73f into master Jun 19, 2026
3 checks passed
@Chisanan232 Chisanan232 deleted the v0.0.1/AAASM-3434/config/codeql_master_coverage branch June 19, 2026 05:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Chisanan232 @github-advanced-security