Skip to content

chore(ci): adding codeql#230

Merged
samber merged 2 commits intomainfrom
chore/adding-codeql
Feb 25, 2026
Merged

chore(ci): adding codeql#230
samber merged 2 commits intomainfrom
chore/adding-codeql

Conversation

@samber
Copy link
Copy Markdown
Owner

@samber samber commented Feb 25, 2026

No description provided.

Copilot AI review requested due to automatic review settings February 25, 2026 18:24
@claude
Copy link
Copy Markdown

claude bot commented Feb 25, 2026
edited
Loading

Claude finished @samber's task in 1m 6s —— View job

PR Review: CodeQL Integration

  • Review workflow changes
  • Check security best practices
  • Verify CodeQL configuration

Summary

The PR adds CodeQL security scanning to the lint workflow. The implementation is generally correct but has a few areas for improvement.

Issues Found

1. Missing explicit contents: read permission (.github/workflows/lint.yml:19)

While security-events: write is correctly set, adding contents: read explicitly follows GitHub's security hardening best practices:

permissions:
  contents: read
  security-events: write

2. Scheduled job runs on all branches

The cron schedule (0 3 * * 1) will run on every branch that has a workflow file. Since GitHub Actions doesn't support branches filter for scheduled events, consider adding a condition:

jobs:
  analyze:
    if: github.event_name == 'schedule' && github.ref == 'refs/heads/main'

Or more simply, just:

    if: github.repository == 'samber/ro' && github.ref == 'refs/heads/main'

3. Job naming confusion (.github/workflows/lint.yml:12-13)

The job was renamed from golangci to analyze, but the display name: lint wasn't updated. Consider:

jobs:
  analyze:
    name: analyze  # or "security analysis"

Or keep it as lint if you want to maintain consistency with the workflow name.

4. Unrelated change in test.yml

The uncommenting of pull_request: trigger in test.yml is unrelated to CodeQL. This should ideally be a separate commit for clearer change history.

Positive Notes

  • CodeQL action versions (@v4) are current
  • Using autobuild is appropriate for Go projects
  • Weekly scan schedule is reasonable
  • Required security-events: write permission is present

claude[bot]
claude bot reviewed Feb 25, 2026
View reviewed changes
claude[bot]
claude bot reviewed Feb 25, 2026
View reviewed changes
@codecov-commenter
Copy link
Copy Markdown

codecov-commenter commented Feb 25, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 65.04%. Comparing base (6af5318) to head (ec96fd6).

Additional details and impacted files 
@@           Coverage Diff           @@
##             main     #230   +/-   ##
=======================================
  Coverage   65.04%   65.04%           
=======================================
  Files          95       95           
  Lines        9104     9104           
=======================================
  Hits         5922     5922           
  Misses       3088     3088           
  Partials       94       94
Flag Coverage Δ
unittests 65.04% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

Copilot AI reviewed Feb 25, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates GitHub Actions workflows to run on PRs and the default branch, and adds CodeQL scanning into the CI pipeline.

Changes:

  • Update test workflow triggers to run on pull_request and on pushes to the default branch.
  • Update lint workflow triggers to run on pushes to the default branch, PRs, and on a weekly schedule.
  • Add CodeQL init/autobuild/analyze steps to the lint workflow and grant CodeQL upload permissions.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File Description
.github/workflows/test.yml Adjusts workflow triggers for push-to-branch and PR events.
.github/workflows/lint.yml Adds scheduled runs and CodeQL analysis steps (plus job permissions) to the lint workflow.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@github-advanced-security
Copy link
Copy Markdown

github-advanced-security bot commented Feb 25, 2026

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

@samber samber merged commit 7bda0c9 into main Feb 25, 2026
13 of 14 checks passed
@samber samber deleted the chore/adding-codeql branch February 25, 2026 19:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@claude claude[bot] claude[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@samber @codecov-commenter @github-advanced-security