ci: add CodeQL code scanning

[wizzomafizzo]

Summary

• Add CodeQL workflow with security-extended query suite
• Triggers on PRs, pushes to main, and weekly schedule
• Manual build mode (native deps required for cgo)
• Dependency caching enabled

Summary by CodeRabbit

Chores

• Added automated code analysis workflow integrated with the continuous integration pipeline. The workflow is triggered on code pushes to the main branch, pull requests targeting the main branch, and executes on a weekly recurring schedule. It performs comprehensive analysis across the entire codebase and provides analysis reports for all builds.

[sentry]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[coderabbitai]

📝 Walkthrough

Walkthrough

A new GitHub Actions workflow file enables CodeQL security analysis for the repository. The workflow triggers on pushes to main, pull requests targeting main, and weekly schedule. It initializes CodeQL for Go with security-extended queries, installs system dependencies, builds the project, and runs the analysis.

Changes

Cohort / File(s)	Summary
CodeQL Workflow Configuration .github/workflows/codeql.yml	New workflow file that configures CodeQL security scanning for Go code with security-extended query suite, dependency caching, and automated triggers on main branch events and weekly schedule.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Poem

🐰 A rabbit hops through code so keen,
CodeQL's guard, now in the scene,
Security scans both far and wide,
Go builds checked with careful pride,
Safety whiskers twitch with glee! 🔒

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'ci: add CodeQL code scanning' directly and concisely describes the main change: adding CodeQL security analysis to the CI workflow.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/codeql

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-advanced-security]

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

• The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
• Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
• You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

[coderabbitai]

🧹 Nitpick comments (2)

.github/workflows/codeql.yml (2)

38-39: Align codeql workflow with established Go setup pattern.

The build step should pin Go's version using actions/setup-go with go-version-file: go.mod before executing the build, matching the pattern used in build.yml, lint-and-test.yml, and other workflows. This ensures consistent Go versions across CI runs and avoids drift-related failures.

♻️ Suggested refactor

+      - name: Set up Go
+        uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5
+        with:
+          go-version-file: go.mod
+
       - name: Build
         run: go build ./...

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/codeql.yml around lines 38 - 39, Update the CodeQL
workflow's Build step to pin Go using the actions/setup-go action before running
go build: insert a step that uses actions/setup-go with the input
go-version-file: go.mod prior to the step named "Build" (which runs `go build
./...`) so the runtime Go version matches the repository's go.mod, mirroring the
pattern used in build.yml and lint-and-test.yml.

---

33-37: Use cached APT packages to match existing CI pattern and reduce runtime.

The apt-get pattern at line 33-37 is inconsistent with the established caching approach in lint-and-test.yml, which already caches these same packages using awalsh128/cache-apt-pkgs-action@acb598e5ddbc6f68a970c5da0688d2f3a9f04d05 # v1.6.0. Adopting the same pattern here will improve build performance and consistency.

♻️ Suggested refactor

-      - name: Install native dependencies
-        run: |
-          sudo apt-get update
-          sudo apt-get install -y libnfc-dev libgtk-3-dev libx11-dev libpcsclite-dev libasound2-dev
+      - name: Cache APT packages (Ubuntu)
+        uses: awalsh128/cache-apt-pkgs-action@acb598e5ddbc6f68a970c5da0688d2f3a9f04d05 # v1.6.0
+        with:
+          packages: libnfc-dev libgtk-3-dev libx11-dev libpcsclite-dev libasound2-dev
+          version: 1.1

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/codeql.yml around lines 33 - 37, Replace the inline
apt-get update/install step named "Install native dependencies" with the same
cached APT pattern used in lint-and-test.yml: add the
awalsh128/cache-apt-pkgs-action@acb598e5ddbc6f68a970c5da0688d2f3a9f04d05 step to
restore the cached packages (using the same key/version), then run sudo apt-get
update and sudo apt-get install -y libnfc-dev libgtk-3-dev libx11-dev
libpcsclite-dev libasound2-dev as before so installs are served from the cache;
ensure the cache action is configured with the same cache key/paths and version
to match existing CI and improve runtime consistency.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In @.github/workflows/codeql.yml:
- Around line 38-39: Update the CodeQL workflow's Build step to pin Go using the
actions/setup-go action before running go build: insert a step that uses
actions/setup-go with the input go-version-file: go.mod prior to the step named
"Build" (which runs `go build ./...`) so the runtime Go version matches the
repository's go.mod, mirroring the pattern used in build.yml and
lint-and-test.yml.
- Around line 33-37: Replace the inline apt-get update/install step named
"Install native dependencies" with the same cached APT pattern used in
lint-and-test.yml: add the
awalsh128/cache-apt-pkgs-action@acb598e5ddbc6f68a970c5da0688d2f3a9f04d05 step to
restore the cached packages (using the same key/version), then run sudo apt-get
update and sudo apt-get install -y libnfc-dev libgtk-3-dev libx11-dev
libpcsclite-dev libasound2-dev as before so installs are served from the cache;
ensure the cache action is configured with the same cache key/paths and version
to match existing CI and improve runtime consistency.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 6e5abb53-80b2-4a04-81d2-0b03f0827e0a

📥 Commits

Reviewing files that changed from the base of the PR and between 5f986d9 and 9eab693.

📒 Files selected for processing (1)

• .github/workflows/codeql.yml