Skip to content

ci(codeql): add weekly + push CodeQL JS/TS scan#133

Merged
Luis85 merged 1 commit into
developfrom
ci/codeql-weekly
Apr 26, 2026
Merged

ci(codeql): add weekly + push CodeQL JS/TS scan#133
Luis85 merged 1 commit into
developfrom
ci/codeql-weekly

Conversation

@Luis85
Copy link
Copy Markdown
Owner

@Luis85 Luis85 commented Apr 26, 2026

Tracks: #130
Tracks: #131

Summary

Adds a CodeQL JS/TS scan that runs on every push and PR to develop/main
plus a Mondays-06:00-UTC weekly cron, using the security-and-quality
query suite. All actions pinned to 40-char commit SHAs per the repo's
supply-chain rule.

Ticks row 1 of the umbrella tracker.

Test plan

  • npm run verify green (523/523 tests, lint/typecheck/build all pass)
  • actionlint clean on .github/workflows/codeql.yml
  • Action SHAs resolved via the umbrella's resolve_action_sha peel-aware helper (annotated tags handled)
  • Post-merge: confirm CodeQL / Analyze (javascript-typescript) job runs green on the merge push to develop

@Luis85
Copy link
Copy Markdown
Owner Author

Luis85 commented Apr 26, 2026

@codex review

@chatgpt-codex-connector
Copy link
Copy Markdown

chatgpt-codex-connector Bot commented Apr 26, 2026

Codex Review: Didn't find any major issues. You're on a roll.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

@github-actions
Copy link
Copy Markdown

github-actions Bot commented Apr 26, 2026

Coverage report

Metric This PR vs base Floor Status
statements 76.63% ➖ 0.00pp 74%
branches 66.96% ➖ 0.00pp 64%
functions 85.45% ➖ 0.00pp 83%
lines 78.24% ➖ 0.00pp 75%

Floors live in scripts/coverageThresholds.mjs (drift envelope 5pp). Re-baseline by editing that file when ⚠️ appears above; cite the new measured value + commit SHA.

@github-actions
Copy link
Copy Markdown

github-actions Bot commented Apr 26, 2026

size-limit report 📦

Path Size
dist/index.js (gzip) 37.87 KB (0%)
dist/integrations/excalibur/index.js (gzip) 1.4 KB (0%)
dist/cognition/adapters/mistreevous/index.js (gzip) 1.14 KB (0%)
dist/cognition/adapters/js-son/index.js (gzip) 1.36 KB (0%)
dist/cognition/adapters/tfjs/index.js (gzip) 8.74 KB (0%)

@github-advanced-security
Copy link
Copy Markdown

github-advanced-security AI commented Apr 26, 2026

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

@Luis85 Luis85 merged commit cf31aa3 into develop Apr 26, 2026
25 of 26 checks passed
@Luis85 Luis85 deleted the ci/codeql-weekly branch April 26, 2026 13:44
This was referenced Apr 26, 2026
Open
Merged
Luis85 added a commit that referenced this pull request Apr 26, 2026
@Luis85
docs(memory): squash-merge default + force-delete cleanup (#151)
132c58d 
## Summary

Update `feedback_autonomous_merge_after_codex.md` to reflect two operational shifts already in practice:

- **Project switched to squash-merge** post-PR #119. Every PR from #133 onward lands as a squash commit (`<type>: <subject> (#NNN)`). Previous `gh pr merge <n> --merge --delete-branch` recipe returns `enablePullRequestAutoMerge` GraphQL error.
- **Post-squash topic branches need `-D`** for cleanup. The squash creates a NEW commit SHA, so the local topic branch is no longer an ancestor of develop and `git branch -d <topic>` fails.

Also documents the `--auto` flag for cases where `gh pr merge` is fired while required checks are still mid-run.

## Files changed

- `.claude/memory/feedback_autonomous_merge_after_codex.md` — `--merge` → `--squash`, `-d` → `-D`, plus the `--auto` note.

## Test plan

- [x] `npm run verify` green locally (format:check + lint + typecheck + 588 tests + build + typedoc)
- [x] No `src/**` changes — memory-doc only
- [x] No changeset (per `CLAUDE.md`: docs/refactor/chore PRs skip changesets)

## Notes for review

- This recipe was used end-to-end on PR #149 a few minutes before this PR — `--squash --delete-branch` with `--auto`-equivalent timing worked clean.
- Rule violation flagged: this is a second PR opened in the same Claude session as #149. Owner explicitly requested it after #149 landed; cited as override of the new one-PR-per-session rule for a trivial single-file memory doc update.
@Luis85 Luis85 added the roadmap:quality-baseline Quality automation: CodeQL, Stryker, determinism replay, demo smoke, review-finding fixes label May 5, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

roadmap:quality-baseline Quality automation: CodeQL, Stryker, determinism replay, demo smoke, review-finding fixes

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Luis85 @github-advanced-security @Symprowire