claude/bold-dirac-dGTnM #740

	name: "CodeQL"

	on:
	push:
	branches: ["main"]
	pull_request:
	branches: ["main"]
	schedule:
	- cron: '30 6 * * 1'

	jobs:
	analyze:
	name: Analyze Rust
	runs-on: ubuntu-latest
	permissions:
	security-events: write
	packages: read
	actions: read
	contents: read

	steps:
	- name: Checkout repository
	uses: actions/checkout@v6.0.2

	- name: Initialize CodeQL
	uses: github/codeql-action/init@v4.35.1
	with:
	languages: rust
	build-mode: none
	queries: security-extended

	- name: Perform CodeQL Analysis
	uses: github/codeql-action/analyze@v4.35.1
	with:
	category: "/language:rust"

	security-checks:
	name: Security Checks
	runs-on: ubuntu-latest
	permissions:
	contents: read

	steps:
	- name: Checkout repository
	uses: actions/checkout@v6.0.2

	- name: Install cargo-audit
	run: \|
	curl -fsSL https://github.com/cargo-bins/cargo-binstall/releases/latest/download/cargo-binstall-x86_64-unknown-linux-musl.tgz \| tar xzf - -C /usr/local/bin
	cargo-binstall cargo-audit --no-confirm

	- name: Cargo Audit
	run: \|
	if ! cargo audit 2>&1 \| tee audit-output.txt; then
	echo "::warning::cargo audit found advisories — review audit-output.txt"
	fi

	- name: Detect suspicious Unicode
	run: \|
	if grep -rP "[\x{200B}-\x{200F}\x{202A}-\x{202E}\x{2066}-\x{2069}]" -n src/; then
	echo "FAILED: Suspicious Unicode control characters detected"
	exit 1
	fi
	echo "PASSED: No suspicious Unicode characters found"

Provide feedback