From 748fc0227ab7d2d3244eded61944f7e0efb2dd40 Mon Sep 17 00:00:00 2001 From: Derek Gulbranson Date: Sun, 5 Jul 2026 21:45:26 -0700 Subject: [PATCH 1/3] Add CodeQL scanning workflow for Python Uses the default query suite (not security-extended) and excludes tests/docs/dist from analysis to keep initial findings low-noise. Co-Authored-By: Claude Sonnet 5 --- .github/codeql/codeql-config.yml | 6 ++++++ .github/workflows/codeql.yml | 33 ++++++++++++++++++++++++++++++++ 2 files changed, 39 insertions(+) create mode 100644 .github/codeql/codeql-config.yml create mode 100644 .github/workflows/codeql.yml diff --git a/.github/codeql/codeql-config.yml b/.github/codeql/codeql-config.yml new file mode 100644 index 0000000..8869e46 --- /dev/null +++ b/.github/codeql/codeql-config.yml @@ -0,0 +1,6 @@ +name: "CodeQL config" + +paths-ignore: + - tests + - docs + - dist diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 0000000..1a07f40 --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,33 @@ +name: CodeQL + +on: + push: + branches: [ master ] + pull_request: + branches: [ master ] + schedule: + - cron: '30 4 * * 1' + +permissions: + contents: read + +jobs: + analyze: + name: Analyze (python) + runs-on: ubuntu-latest + permissions: + security-events: write + + steps: + - uses: actions/checkout@v7 + + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: python + config-file: ./.github/codeql/codeql-config.yml + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v3 + with: + category: "/language:python" From 3fd2e5c4b01744ebfbbdff8f49a284445efd5c1a Mon Sep 17 00:00:00 2001 From: Derek Gulbranson Date: Sun, 5 Jul 2026 21:52:11 -0700 Subject: [PATCH 2/3] Bump codeql-action to v4 v3 is slated for deprecation in December 2026. Co-Authored-By: Claude Sonnet 5 --- .github/workflows/codeql.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 1a07f40..15cb3fb 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -22,12 +22,12 @@ jobs: - uses: actions/checkout@v7 - name: Initialize CodeQL - uses: github/codeql-action/init@v3 + uses: github/codeql-action/init@v4 with: languages: python config-file: ./.github/codeql/codeql-config.yml - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 + uses: github/codeql-action/analyze@v4 with: category: "/language:python" From 468d8e1d9bf24d82de5324506cab0a66609d427c Mon Sep 17 00:00:00 2001 From: Derek Gulbranson Date: Sun, 5 Jul 2026 21:57:40 -0700 Subject: [PATCH 3/3] Restore actions-workflow scanning, drop unused path exclusions Default setup was scanning both python and actions languages; the python-only advanced workflow silently dropped actions coverage (which previously caught a real missing-workflow-permissions alert). The tests/docs/dist exclusions weren't preventing any actual findings - all historical alerts are in nameparser/config/regexes.py - so drop that config file rather than carry unused maintenance. Co-Authored-By: Claude Sonnet 5 --- .github/codeql/codeql-config.yml | 6 ------ .github/workflows/codeql.yml | 7 ++----- 2 files changed, 2 insertions(+), 11 deletions(-) delete mode 100644 .github/codeql/codeql-config.yml diff --git a/.github/codeql/codeql-config.yml b/.github/codeql/codeql-config.yml deleted file mode 100644 index 8869e46..0000000 --- a/.github/codeql/codeql-config.yml +++ /dev/null @@ -1,6 +0,0 @@ -name: "CodeQL config" - -paths-ignore: - - tests - - docs - - dist diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 15cb3fb..f4cdb99 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -13,7 +13,7 @@ permissions: jobs: analyze: - name: Analyze (python) + name: Analyze runs-on: ubuntu-latest permissions: security-events: write @@ -24,10 +24,7 @@ jobs: - name: Initialize CodeQL uses: github/codeql-action/init@v4 with: - languages: python - config-file: ./.github/codeql/codeql-config.yml + languages: python, actions - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v4 - with: - category: "/language:python"