From 6db3daf4396b0f9812f1ba3bd41c997ed606afa7 Mon Sep 17 00:00:00 2001 From: hyperpolymath <6759885+hyperpolymath@users.noreply.github.com> Date: Tue, 26 May 2026 11:51:43 +0100 Subject: [PATCH 1/2] =?UTF-8?q?feat(governance):=20add=20codeql-reusable.y?= =?UTF-8?q?ml=20=E2=80=94=20consolidate=20263-repo=20codeql.yml=20drift?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Extends the #168/#174/#187/#190 reusable-workflow pattern to codeql.yml, the third foundational security workflow in the convergence sweep. Drift survey (gh api /search/code paginated over org:hyperpolymath, blob-SHA grouped): - 263 deployments, 69 unique blob SHAs (26% drift) - Top 7 SHAs cover 195/263 (74%); long tail of 62 SHAs covers 68 repos Language matrix distribution (key for the reusable design): - 223 (84.8%) javascript-typescript only - 22 (8.4%) actions only - 6 (2.3%) NONE (no matrix declared — needs per-repo review) - 3 (1.1%) rust only - 3 (1.1%) javascript-typescript,rust - 3 (1.1%) actions,javascript-typescript - 2 (0.8%) actions,javascript-typescript,rust - 1 (0.4%) actions,rust 100% of estate variants currently use `build-mode: none`. Design choice — single-language single-job reusable (vs matrix-as-input): - Single-language wrappers (~85%) call the reusable once with defaults. - Multi-language wrappers (~3.4%) call the reusable once per language in parallel; per-language SARIF separation preserved via the `category: "/language:${{ inputs.language }}"` field. This pattern matches how callers already think about CodeQL (one job per language) without forcing them to pass JSON-array inputs. Inputs: - language (string, default `javascript-typescript`) - build-mode (string, default `none`) - runs-on (string, default `ubuntu-latest`) Sweep classification (preview): - TRIVIAL (~210): single javascript-typescript, default wrapper - Single-language non-default (~25): rust or actions, override language - Multi-language (~9): wrapper invokes reusable per-language - NEEDS_REVIEW (~18): NONE matrix or non-canonical custom workflow After merge, ~93% of 263 wrappers are mechanical conversions. --- .github/workflows/codeql-reusable.yml | 96 +++++++++++++++++++++++++++ 1 file changed, 96 insertions(+) create mode 100644 .github/workflows/codeql-reusable.yml diff --git a/.github/workflows/codeql-reusable.yml b/.github/workflows/codeql-reusable.yml new file mode 100644 index 00000000..24674e36 --- /dev/null +++ b/.github/workflows/codeql-reusable.yml @@ -0,0 +1,96 @@ +# SPDX-License-Identifier: PMPL-1.0-or-later +# codeql-reusable.yml — Reusable CodeQL security-analysis workflow. +# +# Consolidates the per-repo `codeql.yml` workflow (estate-wide: 263 +# deployments, 69 unique blob SHAs, 26% structural drift). Language +# matrix distribution across the estate: +# +# javascript-typescript 223 (84.8%) +# actions 22 (8.4%) +# NONE (no matrix declared) 6 (2.3%) +# rust 3 (1.1%) +# javascript-typescript,rust 3 (1.1%) +# actions,javascript-typescript 3 (1.1%) +# actions,javascript-typescript,rust 2 (0.8%) +# actions,rust 1 (0.4%) +# +# 100% of estate variants currently use `build-mode: none`. +# +# Design: single-language single-job reusable. Multi-language wrappers +# invoke the reusable once per language (parallel-by-construction). +# This avoids the matrix-as-input awkwardness while preserving per- +# language SARIF separation via the `category` step. +# +# Caller examples: +# +# # Single-language (~85% of estate): +# jobs: +# codeql: +# uses: hyperpolymath/standards/.github/workflows/codeql-reusable.yml@ +# # defaults to language=javascript-typescript, build-mode=none +# +# # Rust-only: +# jobs: +# codeql: +# uses: hyperpolymath/standards/.github/workflows/codeql-reusable.yml@ +# with: +# language: rust +# +# # Multi-language (JS/TS + actions + Rust): +# jobs: +# codeql-js: +# uses: hyperpolymath/standards/.github/workflows/codeql-reusable.yml@ +# codeql-actions: +# uses: hyperpolymath/standards/.github/workflows/codeql-reusable.yml@ +# with: +# language: actions +# codeql-rust: +# uses: hyperpolymath/standards/.github/workflows/codeql-reusable.yml@ +# with: +# language: rust + +name: CodeQL Security Analysis (reusable) + +on: + workflow_call: + inputs: + language: + description: 'CodeQL language identifier (e.g. javascript-typescript, rust, actions). Single language per call; multi-language wrappers invoke the reusable once per language.' + type: string + required: false + default: javascript-typescript + build-mode: + description: 'CodeQL build mode (none|autobuild|manual). 100% of estate currently uses "none"; override only for compiled languages that require explicit build.' + type: string + required: false + default: none + runs-on: + description: 'Runner label for the analyze job' + type: string + required: false + default: ubuntu-latest + +permissions: + contents: read + +jobs: + analyze: + runs-on: ${{ inputs.runs-on }} + permissions: + contents: read + security-events: write + + steps: + - name: Checkout + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + + - name: Initialize CodeQL + uses: github/codeql-action/init@c6f931105cb2c34c8f901cc885ba1e2e259cf745 # v3 + with: + languages: ${{ inputs.language }} + build-mode: ${{ inputs.build-mode }} + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@c6f931105cb2c34c8f901cc885ba1e2e259cf745 # v3 + with: + category: "/language:${{ inputs.language }}" From 533aa4653398826825d5867254151d35de1a1433 Mon Sep 17 00:00:00 2001 From: hyperpolymath <6759885+hyperpolymath@users.noreply.github.com> Date: Tue, 26 May 2026 15:12:02 +0100 Subject: [PATCH 2/2] =?UTF-8?q?ci:=20kick=20=E2=80=94=20initial=20PR=20pus?= =?UTF-8?q?h=20appears=20not=20to=20have=20triggered=20Actions?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The PR was opened with auto-merge ON 4h ago but no workflow runs ever fired against the head commit. The required-checks gate cannot be satisfied without CI runs, so the PR cannot auto-merge. Pushing this empty commit to re-trigger workflows.