chore(ci): add CodeQL security analysis workflow

[CodeGhost21]

Summary

• Add GitHub CodeQL analysis workflow (.github/workflows/codeql.yml) for javascript-typescript
• Triggers on push/PR to main plus weekly scheduled scan (Sundays 04:30 UTC)
• Uses security-and-quality query suite for broader coverage
• Results appear under Security > Code scanning alerts and as PR checks

Test plan

• Verify CodeQL workflow runs successfully on this PR
• Confirm results appear under Security > Code scanning alerts
• Review any initial alerts for false positives; add path exclusions if needed

🤖 Generated with Claude Code

Closes #104

Summary by CodeRabbit

• Chores
  • Added automated code quality and security scanning to the development pipeline.

[coderabbitai]

📝 Walkthrough

Walkthrough

Added a new GitHub Actions workflow .github/workflows/codeql.yml that runs CodeQL analysis on pushes to main, pull requests targeting main, and weekly via cron; it initializes CodeQL for actions, javascript-typescript, and rust and runs the security-and-quality queries.

Changes

Cohort / File(s)	Summary
CodeQL Workflow .github/workflows/codeql.yml	New GitHub Actions workflow added. Triggers: push (main), pull_request (targeting main), weekly cron. Permissions set (contents: read, security-events: write, packages: read, actions: read). Job matrix for actions, javascript-typescript, rust with build-mode: none; uses github/codeql-action/init@v4 and github/codeql-action/analyze@v4 to run security-and-quality queries.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 I hopped into workflows, swift and spry,
Scanning code beneath the sky,
Queries hum and issues peep,
Quiet watch while projects sleep,
A tiny rabbit keeps your builds safe and spry.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The pull request title accurately and concisely describes the main change: adding a CodeQL security analysis workflow to the CI configuration.
Linked Issues check	✅ Passed	The implementation successfully fulfills all primary objectives from issue #104: CodeQL workflow added to .github/workflows/, configured for javascript-typescript analysis with additional rust and actions languages, proper triggers for push/pull_request to main and weekly schedule, and correct security-events permissions.
Out of Scope Changes check	✅ Passed	All changes are scoped to adding the CodeQL workflow configuration file; no unrelated modifications to other code or configurations are present.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

.github/workflows/codeql.yml (1)

3-10: Consider adding manual trigger support for incident/debug runs.

workflow_dispatch would let maintainers run CodeQL on demand (outside push/PR/schedule windows), which is useful for triage and rule-tuning.

♻️ Proposed change

 on:
+  workflow_dispatch:
   push:
     branches: [main]
   pull_request:
     branches: [main]
   schedule:
     # Weekly drift scan — Sundays at 04:30 UTC
     - cron: '30 4 * * 0'

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/codeql.yml around lines 3 - 10, Add a manual trigger to
the workflow by updating the on: block (where push, pull_request, and schedule
are defined) to include the workflow_dispatch event so maintainers can run the
CodeQL workflow on demand; specifically add the workflow_dispatch key alongside
push/pull_request/schedule in the existing on: configuration.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In @.github/workflows/codeql.yml:
- Around line 3-10: Add a manual trigger to the workflow by updating the on:
block (where push, pull_request, and schedule are defined) to include the
workflow_dispatch event so maintainers can run the CodeQL workflow on demand;
specifically add the workflow_dispatch key alongside push/pull_request/schedule
in the existing on: configuration.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 9e8f1a29-9640-4460-8040-00b6457e4531

📥 Commits

Reviewing files that changed from the base of the PR and between faa881c and cf9e341.

📒 Files selected for processing (1)

• .github/workflows/codeql.yml

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

.github/workflows/codeql.yml (1)

41-51: Pin GitHub Actions to immutable SHAs for supply-chain hardening.

actions/checkout@v4, github/codeql-action/init@v4, and github/codeql-action/analyze@v4 use mutable version tags. Pin each to a full commit SHA (40-character hex) instead to prevent tampering.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/codeql.yml around lines 41 - 51, The workflow currently
references mutable tags actions/checkout@v4, github/codeql-action/init@v4, and
github/codeql-action/analyze@v4; replace each of these with their corresponding
immutable full 40-character commit SHAs to harden the supply chain (update the
uses values for actions/checkout, github/codeql-action/init, and
github/codeql-action/analyze in the CodeQL job). Fetch the correct commit SHAs
from the respective GitHub action repositories/releases and substitute the tag
strings with the full SHA values in the workflow so the uses entries point to
fixed commits instead of version tags.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/codeql.yml:
- Around line 9-10: The workflow cron schedule and its comment are out of sync
with the PR objective; update the cron entry currently set to '37 9 * * 6' in
.github/workflows/codeql.yml to the Sunday 04:30 UTC schedule '30 4 * * 0' and
change the accompanying comment "Weekly drift scan — Saturdays at 09:37 UTC" to
"Weekly drift scan — Sundays at 04:30 UTC" so the code and documentation match
(ensure UTC is preserved).

---

Nitpick comments:
In @.github/workflows/codeql.yml:
- Around line 41-51: The workflow currently references mutable tags
actions/checkout@v4, github/codeql-action/init@v4, and
github/codeql-action/analyze@v4; replace each of these with their corresponding
immutable full 40-character commit SHAs to harden the supply chain (update the
uses values for actions/checkout, github/codeql-action/init, and
github/codeql-action/analyze in the CodeQL job). Fetch the correct commit SHAs
from the respective GitHub action repositories/releases and substitute the tag
strings with the full SHA values in the workflow so the uses entries point to
fixed commits instead of version tags.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 6d0c896f-19de-4b5b-b323-c2f2e759e039

📥 Commits

Reviewing files that changed from the base of the PR and between cf9e341 and 03742d9.

📒 Files selected for processing (1)

• .github/workflows/codeql.yml

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Schedule does not match the stated PR objective.

Line 10 is configured for Saturday 09:37 UTC, but the PR objective states a weekly run on Sunday 04:30 UTC. Please align code and PR documentation to avoid ops confusion.

🔧 Suggested change (if the objective is the source of truth)

-    # Weekly drift scan — Saturdays at 09:37 UTC
-    - cron: '37 9 * * 6'
+    # Weekly drift scan — Sundays at 04:30 UTC
+    - cron: '30 4 * * 0'

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	# Weekly drift scan — Saturdays at 09:37 UTC
	- cron: '37 9 * * 6'
	# Weekly drift scan — Sundays at 04:30 UTC
	- cron: '30 4 * * 0'

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/codeql.yml around lines 9 - 10, The workflow cron schedule
and its comment are out of sync with the PR objective; update the cron entry
currently set to '37 9 * * 6' in .github/workflows/codeql.yml to the Sunday
04:30 UTC schedule '30 4 * * 0' and change the accompanying comment "Weekly
drift scan — Saturdays at 09:37 UTC" to "Weekly drift scan — Sundays at 04:30
UTC" so the code and documentation match (ensure UTC is preserved).

[senamakel]

github automatically works on this