Skip to content

ci: remove CodeQL workflow in favour of GHAS default setup#555

Merged
einarwar merged 1 commit into
mainfrom
chore/remove-codeql-workflow
May 19, 2026
Merged

ci: remove CodeQL workflow in favour of GHAS default setup#555
einarwar merged 1 commit into
mainfrom
chore/remove-codeql-workflow

Conversation

@einarwar
Copy link
Copy Markdown
Contributor

@einarwar einarwar commented May 19, 2026

Summary

Deletes .github/workflows/codeql.yaml and switches CodeQL analysis to GHAS default setup, managed entirely from the repository settings UI.

The deleted workflow was the stock advanced-setup template with no customisation — no custom query suite, no config file, no path filters, no manual build steps — so default setup produces equivalent analysis coverage for JavaScript/TypeScript and Python with no in-repo file to maintain.

Before merging: enable default setup in the repo

Default setup must be turned on before this PR is merged, otherwise code scanning will stop producing results in the gap between merge and activation.

  1. Go to Settings → Code security → Code scanning.
  2. Under CodeQL analysis, click Set up → Default.
  3. Confirm the suggested languages include JavaScript/TypeScript and Python. Add any others GitHub auto-detects that you want covered.
  4. Leave Query suite on Default (matches what the deleted workflow ran). Switch to Extended only if you want the additional lower-severity / quality queries.
  5. Click Enable CodeQL. The first scan kicks off immediately; subsequent scans run on push to the default branch, on pull requests targeting it, and on a weekly schedule managed by GitHub.

After the first run completes successfully, merge this PR.

What is lost

  • The in-repo audit trail of which languages we scan (now visible only in repo settings).
  • The ability to scope scanning with paths / paths-ignore, custom queries, or a different trigger schedule.

If any of those become desirable later, default setup can be replaced by re-introducing an advanced-setup workflow.

@einarwar einarwar requested a review from a team as a code owner May 19, 2026 12:28
@einarwar einarwar force-pushed the chore/remove-codeql-workflow branch from 5c2a889 to 2e41536 Compare May 19, 2026 12:32
sutne
sutne approved these changes May 19, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@sutne sutne left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch! 🧹✨

Comment thread .github/workflows/codeql.yaml Outdated
@einarwar
ci: remove CodeQL workflow in favour of GHAS default setup
0e99bbd 
The workflow at .github/workflows/codeql.yaml was the stock 'advanced
setup' template with no customisation (no custom query suite, no
config file, no path filters, no manual build steps). It produces the
same analysis coverage as GHAS default setup for JavaScript/TypeScript
and Python, but requires us to maintain the workflow, pin action SHAs
and follow major-version bumps of github/codeql-action.

Switching to default setup removes that maintenance burden. Activation
steps are listed in the PR description.
@einarwar einarwar force-pushed the chore/remove-codeql-workflow branch from 2e41536 to 0e99bbd Compare May 19, 2026 12:59
@einarwar einarwar enabled auto-merge (rebase) May 19, 2026 12:59
@einarwar einarwar merged commit a10e4d6 into main May 19, 2026
10 checks passed
@einarwar einarwar deleted the chore/remove-codeql-workflow branch May 19, 2026 13:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sutne sutne sutne approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@einarwar @sutne