ci: add CodeQL Advanced security scanning workflow

[cheese-cakee]

Description

Adds security scanning via GitHub CodeQL to detect vulnerabilities in JavaScript/TypeScript source and GitHub Actions workflows.

Changes Made

• Added .github/workflows/codeql.yml — CodeQL Advanced workflow with matrix strategy analyzing javascript-typescript and actions languages
• Updated docs/07-github-automation.md — documented the new workflow

Related Issues

Closes #386

Checklist

• Tests added/updated (CodeQL is security scanning, not unit tests)
• Documentation updated
• Linting passes (YAML validated, follows repo conventions)
• Branch up-to-date with main

---

Summary by CodeRabbit

• Chores
  • Enabled automated CodeQL-based security analysis on code changes to enhance code safety and quality assurance.

[netlify]

✅ Deploy Preview for hiero-open-source ready!

Name	Link
🔨 Latest commit	9f0bc87
🔍 Latest deploy log	https://app.netlify.com/projects/hiero-open-source/deploys/6a3165db5aecd7000809d07a
😎 Deploy Preview	https://deploy-preview-387--hiero-open-source.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[lfdt-bot]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

This PR introduces a new CodeQL Advanced security scanning workflow for the hiero-website repository. The workflow runs on pushes and pull requests to main, scheduled daily, and analyzes both JavaScript/TypeScript and GitHub Actions code using security-extended query profiles with dependency caching enabled.

Changes

CodeQL Security Scanning

Layer / File(s)	Summary
Workflow Triggers and Runtime Configuration .github/workflows/codeql.yml	Workflow named "CodeQL Advanced" triggers on push/PR to main (excluding **/*.md), daily cron, with concurrency cancellation and workflow-level contents:read permission.
Job Setup and Matrix Strategy .github/workflows/codeql.yml	Analyze job runs on ubuntu-latest with job-level permissions (contents:read, security-events:write, packages:read) and a matrix covering actions and javascript-typescript languages with build-mode: none.
CodeQL Analysis Execution Steps .github/workflows/codeql.yml	Runner is hardened with egress audit, repo is checked out, Node.js 20 is configured, CodeQL is initialized with security-extended queries and dependency caching, and analysis runs with language-specific category.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Suggested reviewers

• exploreriii
• rbarker-dev
• danielmarv

Poem

🐰 A workflow hops into the fold,
Security queries, both sharp and bold,
CodeQL scans with steady pace,
Keeping trust in every space!

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately and concisely summarizes the main change: adding a CodeQL Advanced security scanning workflow to the CI pipeline.
Description check	✅ Passed	The PR description covers key sections (Description, Changes Made, Related Issues, Checklist) and provides clear explanations, though it deviates from the template structure slightly.
Linked Issues check	✅ Passed	The PR fully addresses issue #386 by implementing a CodeQL workflow for JavaScript/TypeScript and actions languages, configuring it with a matrix strategy, documenting it, and following project conventions.
Out of Scope Changes check	✅ Passed	The PR includes the CodeQL workflow and documentation updates directly related to issue #386; no out-of-scope changes were identified.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

📋 Issue Planner

Built with CodeRabbit's Coding Plans for faster development and fewer bugs.

View plan used: #386

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codacy-production]

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

_{NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.}

[coderabbitai]

🧹 Nitpick comments (1)

.github/workflows/codeql.yml (1)

5-14: Add workflow_dispatch trigger for on-demand CodeQL scans.

Other workflows in this repository (e.g., ci.yml) already include this trigger. It's useful for incident response or quick validation after query/config tuning without waiting for scheduled runs or pushes.

🔧 Suggested update

 on:
   push:
     branches: ["main"]
   pull_request:
     branches: ["main"]
     paths-ignore:
       - "**/*.md"
   schedule:
     - cron: "28 23 * * *"
+  workflow_dispatch:

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/codeql.yml around lines 5 - 14, Update the CodeQL workflow
trigger block to allow manual runs by adding the workflow_dispatch event
alongside push, pull_request, and schedule; modify the top-level on: stanza in
.github/workflows/codeql.yml (the existing on: block) to include
workflow_dispatch so maintainers can trigger CodeQL scans on demand.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In @.github/workflows/codeql.yml:
- Around line 5-14: Update the CodeQL workflow trigger block to allow manual
runs by adding the workflow_dispatch event alongside push, pull_request, and
schedule; modify the top-level on: stanza in .github/workflows/codeql.yml (the
existing on: block) to include workflow_dispatch so maintainers can trigger
CodeQL scans on demand.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 7f0fd07b-7948-4155-981d-cef614006524

📥 Commits

Reviewing files that changed from the base of the PR and between 287d245 and 36fcb44.

📒 Files selected for processing (2)

• .github/workflows/codeql.yml
• docs/07-github-automation.md

[cheese-cakee]

The CodeQL check failures are expected until the default CodeQL setup is disabled in repo Settings > Code security.

I think someone with permission needs to switch from 'Default' to 'Advanced' (or disable it) since a custom codeql.yml now handles analysis.thankyou.

[danielmarv]

cc @hiero-ledger/github-maintainers

[jwagantall]

@hiero-ledger/github-maintainers Please help us unblock this change.

[cheese-cakee]

ready for review @hiero-ledger/github-maintainers

[aceppaluni]

@cheese-cakee This is looking good so far. I believe the reason the workflow is failing is due to the change from using Github action runners to self hosted runners.

To correct this add an additional step after checking out the repository:

- name: Checkout repository
  uses: actions/checkout@...

- name: Setup Node.js
  uses: actions/setup-node@v4
  with:
    node-version: 20

@rbarker-dev Could I get your input on this?

[exploreriii]

note if you proceed with above please make sure to use the recent package
https://github.com/actions/setup-node

[aceppaluni]

@cheese-cakee Can you resolve branch conflicts please?

Thank you!

[coderabbitai]

Actionable comments posted: 8

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/codeql.yml:
- Around line 39-42: The harden-runner action version is inconsistent with other
workflows; locate the workflow step that uses
"step-security/harden-runner@58077d3c7e43986b6b15fba718e8ea69e387dfcc # v2.15.1"
and update the action reference to the matching version used elsewhere (v2.16.1)
so all workflows use "step-security/harden-runner@v2.16.1" for consistency and
security parity.

In `@content/posts/Hiero_links_of_april_thirteenth.md`:
- Around line 15-16: Update the sentence in the post text that currently reads
"Below are links to some of things that happened this past week." to the
grammatically correct "Below are links to some of the things that happened this
past week." Locate the phrase in
content/posts/Hiero_links_of_april_thirteenth.md and replace "some of things"
with "some of the things" so the published copy reads correctly.
- Around line 27-28: Replace the setext-style heading "Want to be featured on
the Hiero-Website?" (currently followed by the underline `--`) with an ATX-style
heading by prefixing the line with one or more `#` characters (e.g., `# Want to
be featured on the Hiero-Website?`) and remove the underline; update the heading
text formatting as needed (the exact text "Want to be featured on the
Hiero-Website?" identifies the target).

In `@content/posts/hiero_links_of_april_twentieth.md`:
- Around line 14-16: Fix the typos in the post copy: change “happend” to
“happened” and change “some of things” to “some of the things” in the sentence
currently reading "Below are links to some of things that happend this past
week." Also ensure spacing and punctuation remain correct (resulting sentence:
"Below are links to some of the things that happened this past week.").
- Around line 27-28: The heading "Want to be featured on the Hiero-Website?" is
written as a setext-style heading; change it to an ATX heading to satisfy
markdownlint MD003 by replacing the underline with an ATX marker (e.g., prefix
the line with one or more '#' characters such as "# Want to be featured on the
Hiero-Website?") and remove the following underline line so the heading is a
single ATX-style line.

In `@content/posts/hiero_links_of_april_twentyseven.md`:
- Around line 14-16: Update the intro sentence to correct grammar by changing
"some of things" to "some of the things" in the paragraph that begins "This week
featured a lot of new and exciting updates within the Hiero Organization."
Ensure the new sentence reads "Below are links to some of the things that
happened this past week." and keep the surrounding punctuation and emphasis
intact.
- Around line 27-28: Replace the setext-style heading "Want to be featured on
the Hiero-Website?" with an ATX-style heading by prefixing the same text with
one or more # characters (e.g. "# Want to be featured on the Hiero-Website?") so
the line uses ATX heading syntax and removes the underline, ensuring
markdownlint no longer flags the setext style.

In `@content/posts/hip-1137.md`:
- Line 25: Update the user-facing copy in the post's line containing "RPC relays
– nodes providing EVM based interfaces on top of the Hiero network" to hyphenate
the compound adjective by changing "EVM based interfaces" to "EVM-based
interfaces" so the phrase reads "RPC relays – nodes providing EVM-based
interfaces on top of the Hiero network".

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: eaa26ad9-d8be-467e-b461-6544443da747

📥 Commits

Reviewing files that changed from the base of the PR and between abf5c97 and 2daeb7f.

⛔ Files ignored due to path filters (16)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
• public/images/Block_Node_Discoverability.png is excluded by !**/*.png
• public/images/Hiero-Logo-Sentx.png is excluded by !**/*.png
• public/images/april_thirteen.png is excluded by !**/*.png
• public/images/april_twenty.png is excluded by !**/*.png
• public/images/april_twentyseven.png is excluded by !**/*.png
• public/images/four.JPG is excluded by !**/*.jpg
• public/images/hiero-heka-joins-hiero.png is excluded by !**/*.png
• public/images/kampala.png is excluded by !**/*.png
• public/images/one.JPG is excluded by !**/*.jpg
• public/images/seven.JPG is excluded by !**/*.jpg
• public/images/six.JPG is excluded by !**/*.jpg
• public/images/two.JPG is excluded by !**/*.jpg
• src/components/Divider/__tests__/__snapshots__/Divider.test.tsx.snap is excluded by !**/*.snap
• src/components/Header/__tests__/__snapshots__/Header.test.tsx.snap is excluded by !**/*.snap
• src/components/WhatIsHieroSection/__tests__/__snapshots__/WhatIsHieroSection.test.tsx.snap is excluded by !**/*.snap

📒 Files selected for processing (26)

• .github/workflows/ci.yml
• .github/workflows/codeql.yml
• .github/workflows/pr-formatting.yaml
• CHANGELOG.md
• README.md
• content/_index.md
• content/posts/Hiero_links_of_april_thirteenth.md
• content/posts/hiero-heka-joins-hiero.md
• content/posts/hiero_links_of_april_twentieth.md
• content/posts/hiero_links_of_april_twentyseven.md
• content/posts/hip-1137.md
• content/posts/kampala_hiero_event.md
• docs/blogs.md
• package.json
• src/app/blog/[slug]/page.tsx
• src/app/not-found.tsx
• src/app/page.tsx
• src/app/tsc/page.tsx
• src/components/BlogPostList/index.tsx
• src/components/ContributorsGrid/index.tsx
• src/components/Divider/index.tsx
• src/components/Header/index.tsx
• src/components/Menu/index.tsx
• src/components/WhatIsHieroSection/index.tsx
• src/data/homePageData.ts
• src/data/repository_stats.json

✅ Files skipped from review due to trivial changes (6)

• CHANGELOG.md
• package.json
• src/data/repository_stats.json
• src/app/tsc/page.tsx
• README.md
• src/data/homePageData.ts

[aceppaluni]

Can you update your branch?

Thank you!

[cheese-cakee]

Can you update your branch?

Thank you!

Done !

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/codeql.yml:
- Around line 26-29: Do not remove or change the workflow-level permissions
block—ensure the YAML keys "permissions", "contents: read", "security-events:
write", and "packages: read" remain present; keep job-level permissions intact
so CodeQL can upload SARIF results (security-events: write is required) and
follow the least-privilege pattern by leaving contents: read at workflow level
and any additional permissions at the job level.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 07edcf43-876c-4ffe-8f73-09d3f9c51758

📥 Commits

Reviewing files that changed from the base of the PR and between 2daeb7f and c2a1eae.

📒 Files selected for processing (1)

• .github/workflows/codeql.yml

[cheese-cakee]

Hello @aceppaluni, I think my branch is already upto date so wondering if the "update branch" label is appropriate here?

[exploreriii]

This repository doesn't have a requirement to merge with an updated branch
however, keeping the branch up to date can be helpful to take note of any unusual behaviour with any new PRs merged to main

[aceppaluni]

@hiero-ledger/github-maintainers

[aceppaluni]

@hiero-ledger/github-maintainers