feat(governance): add codeql-reusable.yml — consolidate 263-repo codeql.yml drift#192
Open
hyperpolymath wants to merge 2 commits into
Open
feat(governance): add codeql-reusable.yml — consolidate 263-repo codeql.yml drift#192hyperpolymath wants to merge 2 commits into
hyperpolymath wants to merge 2 commits into
Conversation
…ql.yml drift Extends the #168/#174/#187/#190 reusable-workflow pattern to codeql.yml, the third foundational security workflow in the convergence sweep. Drift survey (gh api /search/code paginated over org:hyperpolymath, blob-SHA grouped): - 263 deployments, 69 unique blob SHAs (26% drift) - Top 7 SHAs cover 195/263 (74%); long tail of 62 SHAs covers 68 repos Language matrix distribution (key for the reusable design): - 223 (84.8%) javascript-typescript only - 22 (8.4%) actions only - 6 (2.3%) NONE (no matrix declared — needs per-repo review) - 3 (1.1%) rust only - 3 (1.1%) javascript-typescript,rust - 3 (1.1%) actions,javascript-typescript - 2 (0.8%) actions,javascript-typescript,rust - 1 (0.4%) actions,rust 100% of estate variants currently use `build-mode: none`. Design choice — single-language single-job reusable (vs matrix-as-input): - Single-language wrappers (~85%) call the reusable once with defaults. - Multi-language wrappers (~3.4%) call the reusable once per language in parallel; per-language SARIF separation preserved via the `category: "/language:${{ inputs.language }}"` field. This pattern matches how callers already think about CodeQL (one job per language) without forcing them to pass JSON-array inputs. Inputs: - language (string, default `javascript-typescript`) - build-mode (string, default `none`) - runs-on (string, default `ubuntu-latest`) Sweep classification (preview): - TRIVIAL (~210): single javascript-typescript, default wrapper - Single-language non-default (~25): rust or actions, override language - Multi-language (~9): wrapper invokes reusable per-language - NEEDS_REVIEW (~18): NONE matrix or non-canonical custom workflow After merge, ~93% of 263 wrappers are mechanical conversions.
This was referenced May 26, 2026
The PR was opened with auto-merge ON 4h ago but no workflow runs ever fired against the head commit. The required-checks gate cannot be satisfied without CI runs, so the PR cannot auto-merge. Pushing this empty commit to re-trigger workflows.
hyperpolymath
added a commit
that referenced
this pull request
May 26, 2026
Same as #192 (codeql-reusable) — auto-merge enabled but zero workflow runs against the head commit. Pushing empty commit to re-trigger CI.
hyperpolymath
added a commit
that referenced
this pull request
May 26, 2026
Same as #192 (codeql-reusable) — auto-merge enabled but zero workflow runs against the head commit. Pushing empty commit to re-trigger CI.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Third foundational reusable in the workflow-convergence sweep (#168 → #174 → #187 → #190 → this). Targets
codeql.yml, the 263-deployment CodeQL security-analysis workflow.Drift survey
Full pagination of
gh api /search/codeagainstorg:hyperpolymath, blob-SHA grouped:Language matrix distribution (key for design)
javascript-typescriptonlyactionsonlyrustonlyjavascript-typescript,rustactions,javascript-typescriptactions,javascript-typescript,rustactions,rust100% of estate variants use
build-mode: none— verified across rust-only, actions-only, and mixed sampled variants.Design choice — single-language single-job reusable
Caller invokes the reusable once per language. Multi-language wrappers (~3.4%) call it multiple times in parallel; per-language SARIF separation is preserved via the
category: "/language:${{ inputs.language }}"step.This matches how callers already think about CodeQL (one job per language) without forcing a JSON-array input or matrix-as-string-input. The alternative (matrix-as-input) would have made the 85% single-language case more awkward.
Inputs
language(string, defaultjavascript-typescript) — single CodeQL language identifierbuild-mode(string, defaultnone) — 100% of estate currently usesnone; default covers everythingruns-on(string, defaultubuntu-latest)Caller wrapper examples
Single-language (~85% of estate):
~5 lines, replacing ~49.
Rust-only or actions-only (~10% of estate):
Multi-language (~3.4% of estate):
Rollout plan
NOT started in this PR — owner-gated.
javascript-typescriptdefault. One-line wrapper.language: rustorlanguage: actions.NONEmatrix (6) + 100-line custom workflows (~2-3). Per-repo review.Total expected sweep: ~245 PRs (93% mechanical).
Pattern hardening
workflow_callshape as refactor(governance): subsume language-policy.yml + add deno-ci-reusable (semantics-level fix for estate-template drift) #168 / feat(governance): add rust-ci-reusable + elixir-ci-reusable workflows #174 / feat(governance): add mirror-reusable.yml — consolidate 289-repo mirror.yml drift #187 / feat(governance): add secret-scanner-reusable.yml — propagate shell-secrets to 281 repos #190 — no new infrastructure.🤖 Generated with Claude Code