Implement SOTA alignment reset and reality-check gates #1926

Workflow file for this run

	# Статический анализ (GitHub CodeQL): Python (Flask web + processor исходники) и TypeScript UI.
	# SARIF → Security → Code scanning. Полные зависимости процессора (torch/ultralytics) в CI не ставим —
	# CodeQL сканирует файлы по paths в .github/codeql/codeql-config-python.yml.
	#
	# Branch protection: помечайте обязательными job'ы этого workflow (например «CodeQL — gate»
	# и/или «Analyze (python)» / «Analyze (javascript-typescript)»). Не полагайтесь на отдельный
	# check с именем «CodeQL» без контекста workflow — это может быть агрегат Code Scanning с иным жизненным циклом.
	name: BirdLense CodeQL

	# Сохраняем расчёт file coverage на PR (иначе с ~Apr 2026 CodeQL Action пропускает его по умолчанию).
	env:
	CODEQL_ACTION_FILE_COVERAGE_ON_PRS: "true"

	on:
	# Ручной запуск: Actions → BirdLense CodeQL → Run workflow
	workflow_dispatch:
	push:
	branches: [main, dev]
	pull_request:
	branches: [main, dev]
	schedule:
	# Еженедельно: подхват новых запросов CodeQL без push
	- cron: '32 5 * * 1'

	concurrency:
	group: birdlense-codeql-${{ github.ref }}
	cancel-in-progress: false

	permissions:
	contents: read
	security-events: write
	actions: read

	jobs:
	analyze:
	name: Analyze (${{ matrix.language }})
	runs-on: ubuntu-latest
	timeout-minutes: 120
	strategy:
	fail-fast: false
	matrix:
	include:
	- language: javascript-typescript
	config-file: .github/codeql/codeql-config-javascript.yml
	- language: python
	config-file: .github/codeql/codeql-config-python.yml

	steps:
	- name: Checkout
	uses: actions/checkout@v6

	- name: Initialize CodeQL
	uses: github/codeql-action/init@v4.35.2
	with:
	languages: ${{ matrix.language }}
	config-file: ${{ matrix.config-file }}

	- name: Set up Python (web deps for extraction)
	if: matrix.language == 'python'
	uses: actions/setup-python@v6
	with:
	python-version: '3.12'
	cache: pip
	cache-dependency-path: app/web/requirements.txt

	- name: Install Python dependencies (web)
	if: matrix.language == 'python'
	run: \|
	python -m pip install --upgrade pip
	pip install -r app/web/requirements.txt

	- name: Autobuild (Python)
	if: matrix.language == 'python'
	uses: github/codeql-action/autobuild@v4.35.2

	- name: Set up Node (UI)
	if: matrix.language == 'javascript-typescript'
	uses: actions/setup-node@v6
	with:
	node-version: '22'
	cache: npm
	cache-dependency-path: app/ui/package-lock.json

	- name: Build UI
	if: matrix.language == 'javascript-typescript'
	run: \|
	cd app/ui
	npm ci
	npm run build

	- name: Perform CodeQL Analysis
	uses: github/codeql-action/analyze@v4.35.2
	with:
	category: '/language:${{ matrix.language }}'

	# Единый детерминированный статус для branch protection (всегда success или failure, не «skipped»).
	codeql-gate:
	name: CodeQL — gate
	runs-on: ubuntu-latest
	needs: analyze
	if: always()
	timeout-minutes: 5
	steps:
	- name: Require all matrix Analyze jobs succeeded
	env:
	ANALYZE_RESULT: ${{ needs.analyze.result }}
	run: \|
	set -euo pipefail
	echo "needs.analyze.result=${ANALYZE_RESULT}"
	if [ "${ANALYZE_RESULT}" != success ]; then
	echo "CodeQL matrix did not complete successfully (failure, cancelled, or skipped)."
	exit 1
	fi
	echo "CodeQL: all language analyses succeeded."

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Implement SOTA alignment reset and reality-check gates #1926

Workflow file

Implement SOTA alignment reset and reality-check gates #1926

Uh oh!

Workflow file for this run