From 63b3cb0c109c851a9d86d7c485e2216be70389cf Mon Sep 17 00:00:00 2001
From: Danijel Martinek <danijel@fraqtal.xyz>
Date: Thu, 14 May 2026 17:55:41 +0000
Subject: [PATCH] ci(security): add CodeQL javascript-typescript analysis
 workflow

Adds CodeQL static analysis on push to main, pull_request, and weekly
on Wednesday 02:00 UTC (staggered from trace-revalidation Monday cron).
Uses the default security-and-quality query suite. Includes a consumer
note that private repos require GitHub Advanced Security.
---
 .github/workflows/codeql.yml | 44 ++++++++++++++++++++++++++++++++++++
 1 file changed, 44 insertions(+)
 create mode 100644 .github/workflows/codeql.yml

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
new file mode 100644
index 0000000..0a90183
--- /dev/null
+++ b/.github/workflows/codeql.yml
@@ -0,0 +1,44 @@
+# CodeQL static analysis — javascript-typescript.
+#
+# Runs on every push to main, every pull request, and weekly on Wednesday
+# at 02:00 UTC (staggered from the trace-revalidation cron on Monday 06:30).
+#
+# NOTE (consumers): CodeQL is free for public repositories and GitHub Free
+# plans. For *private* repositories it requires GitHub Advanced Security
+# (available on GitHub Enterprise Cloud/Server or as an add-on). If you are
+# using this template with a private repo and do not have Advanced Security
+# enabled, remove or disable this workflow — it will fail at the "Initialize
+# CodeQL" step with a licensing error.
+
+name: CodeQL
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+  schedule:
+    # 02:00 UTC every Wednesday
+    - cron: "0 2 * * 3"
+
+permissions:
+  contents: read
+  security-events: write
+
+jobs:
+  analyze:
+    name: Analyze (javascript-typescript)
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    steps:
+      - uses: actions/checkout@v4
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: javascript-typescript
+          # Uses the default query suite (security-and-quality). To restrict
+          # to security-only queries, set:
+          #   queries: security-extended
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v3
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v3