fix(security): GAR-886 — health run 136 status note (2026-06-14 ~20:4… #1929
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CodeQL | |
| # Plan: personal-api-key-revogada-vectorized-matsumoto §Step 2 (PR C). | |
| # Replaces GitHub-native default setup that was failing autobuild on | |
| # crates/garraia-desktop (Tauri) — the source of the "Code scanning | |
| # configuration error" banner in the Security tab. | |
| # | |
| # IMPORTANT: GitHub default-setup must be DISABLED in repo Settings → | |
| # Code security → Code scanning before this workflow's results take | |
| # effect. Otherwise SARIF uploads collide with default-setup's uploads | |
| # under the same category. See docs/security/codeql-setup.md for the | |
| # step-by-step toggle procedure. | |
| on: | |
| push: | |
| branches: [main] | |
| pull_request: | |
| branches: [main] | |
| schedule: | |
| # Monday 09:00 UTC — keeps the dependency-bump cycle aligned with | |
| # cargo-audit.yml (also weekly) so RUSTSEC + CodeQL alerts come | |
| # in the same review window. | |
| - cron: '0 9 * * 1' | |
| # Cancel in-flight runs on the same ref to avoid wasting compute when | |
| # multiple commits land in quick succession (mirrors ci.yml convention). | |
| concurrency: | |
| group: codeql-${{ github.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| analyze: | |
| name: Analyze (${{ matrix.language }}) | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 30 | |
| permissions: | |
| # SARIF upload — required for results to appear in the Security tab. | |
| security-events: write | |
| # Read workflow metadata for the action. | |
| actions: read | |
| # Read repo contents for analysis. | |
| contents: read | |
| strategy: | |
| # Don't abort other languages if one fails — keeps partial coverage. | |
| fail-fast: false | |
| matrix: | |
| include: | |
| # CodeQL for Rust uses BUILDLESS (standalone) extraction. Empirical | |
| # evidence from run 25176031230 (the first attempt of this workflow): | |
| # `build-mode: manual` is rejected with "Rust does not support the | |
| # manual build mode. Please try using one of the following build | |
| # modes instead: none." This is the same constraint that made the | |
| # original GitHub-native default setup fail on Tauri — the autobuild | |
| # phase that broke wasn't Rust's; it was the `actions` / `python` / | |
| # `kotlin` autodetection adding garraia-desktop's directory to its | |
| # build path. With buildless Rust extraction + paths-ignore, neither | |
| # problem can recur. | |
| - language: rust | |
| build-mode: none | |
| # JS/TS analysis covers the admin UI under crates/garraia-gateway/admin | |
| # and any project-internal scripts. No build needed. | |
| - language: javascript-typescript | |
| build-mode: none | |
| # Workflow-level analysis (e.g. `actions/missing-workflow-permissions`, | |
| # `actions/unpinned-tag`). The previous default setup analyzed this | |
| # implicitly; the custom setup must list it explicitly. Without this, | |
| # alerts created against .github/workflows/*.yml under the old setup | |
| # never re-evaluate and stick in `open` forever even after the | |
| # underlying YAML is fixed (verified on PR #322 — 2 of 17 Medium | |
| # alerts closed, 15 stuck open until this language was added). | |
| - language: actions | |
| build-mode: none | |
| steps: | |
| - name: Checkout repository | |
| # Match version pinned in ci.yml (verified 2026-04-30). | |
| uses: actions/checkout@v6 | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/init@v4 | |
| with: | |
| languages: ${{ matrix.language }} | |
| build-mode: ${{ matrix.build-mode }} | |
| config-file: ./.github/codeql-config.yml | |
| - name: Perform CodeQL analysis | |
| uses: github/codeql-action/analyze@v4 | |
| with: | |
| # Category disambiguates this advanced setup's SARIF uploads | |
| # from any residual default-setup uploads. After default setup | |
| # is disabled, this category is the canonical source of | |
| # /language:* results in the Security tab. | |
| category: "/language:${{ matrix.language }}" |