ci(security): add CodeQL javascript-typescript analysis workflow

Adds CodeQL static analysis on push to main, pull_request, and weekly on Wednesday 02:00 UTC (staggered from trace-revalidation Monday cron). Uses the default security-and-quality query suite. Includes a consumer note that private repos require GitHub Advanced Security.
2026-05-14 17:55:41 +00:00
parent 1979041197
commit 63b3cb0c10
1 changed files with 44 additions and 0 deletions
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -0,0 +1,44 @@
+# CodeQL static analysis — javascript-typescript.
+#
+# Runs on every push to main, every pull request, and weekly on Wednesday
+# at 02:00 UTC (staggered from the trace-revalidation cron on Monday 06:30).
+#
+# NOTE (consumers): CodeQL is free for public repositories and GitHub Free
+# plans. For *private* repositories it requires GitHub Advanced Security
+# (available on GitHub Enterprise Cloud/Server or as an add-on). If you are
+# using this template with a private repo and do not have Advanced Security
+# enabled, remove or disable this workflow — it will fail at the "Initialize
+# CodeQL" step with a licensing error.
+
+name: CodeQL
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+  schedule:
+    # 02:00 UTC every Wednesday
+    - cron: "0 2 * * 3"
+
+permissions:
+  contents: read
+  security-events: write
+
+jobs:
+  analyze:
+    name: Analyze (javascript-typescript)
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    steps:
+      - uses: actions/checkout@v4
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: javascript-typescript
+          # Uses the default query suite (security-and-quality). To restrict
+          # to security-only queries, set:
+          #   queries: security-extended
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v3
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v3