Skip to content

feat(groups): GAR-890 — DELETE /v1/groups/{id} — owner-only group soft-deletion #1939

feat(groups): GAR-890 — DELETE /v1/groups/{id} — owner-only group soft-deletion

feat(groups): GAR-890 — DELETE /v1/groups/{id} — owner-only group soft-deletion #1939

Workflow file for this run

name: CodeQL
# Plan: personal-api-key-revogada-vectorized-matsumoto §Step 2 (PR C).
# Replaces GitHub-native default setup that was failing autobuild on
# crates/garraia-desktop (Tauri) — the source of the "Code scanning
# configuration error" banner in the Security tab.
#
# IMPORTANT: GitHub default-setup must be DISABLED in repo Settings →
# Code security → Code scanning before this workflow's results take
# effect. Otherwise SARIF uploads collide with default-setup's uploads
# under the same category. See docs/security/codeql-setup.md for the
# step-by-step toggle procedure.
on:
push:
branches: [main]
pull_request:
branches: [main]
schedule:
# Monday 09:00 UTC — keeps the dependency-bump cycle aligned with
# cargo-audit.yml (also weekly) so RUSTSEC + CodeQL alerts come
# in the same review window.
- cron: '0 9 * * 1'
# Cancel in-flight runs on the same ref to avoid wasting compute when
# multiple commits land in quick succession (mirrors ci.yml convention).
concurrency:
group: codeql-${{ github.ref }}
cancel-in-progress: true
jobs:
analyze:
name: Analyze (${{ matrix.language }})
runs-on: ubuntu-latest
timeout-minutes: 30
permissions:
# SARIF upload — required for results to appear in the Security tab.
security-events: write
# Read workflow metadata for the action.
actions: read
# Read repo contents for analysis.
contents: read
strategy:
# Don't abort other languages if one fails — keeps partial coverage.
fail-fast: false
matrix:
include:
# CodeQL for Rust uses BUILDLESS (standalone) extraction. Empirical
# evidence from run 25176031230 (the first attempt of this workflow):
# `build-mode: manual` is rejected with "Rust does not support the
# manual build mode. Please try using one of the following build
# modes instead: none." This is the same constraint that made the
# original GitHub-native default setup fail on Tauri — the autobuild
# phase that broke wasn't Rust's; it was the `actions` / `python` /
# `kotlin` autodetection adding garraia-desktop's directory to its
# build path. With buildless Rust extraction + paths-ignore, neither
# problem can recur.
- language: rust
build-mode: none
# JS/TS analysis covers the admin UI under crates/garraia-gateway/admin
# and any project-internal scripts. No build needed.
- language: javascript-typescript
build-mode: none
# Workflow-level analysis (e.g. `actions/missing-workflow-permissions`,
# `actions/unpinned-tag`). The previous default setup analyzed this
# implicitly; the custom setup must list it explicitly. Without this,
# alerts created against .github/workflows/*.yml under the old setup
# never re-evaluate and stick in `open` forever even after the
# underlying YAML is fixed (verified on PR #322 — 2 of 17 Medium
# alerts closed, 15 stuck open until this language was added).
- language: actions
build-mode: none
steps:
- name: Checkout repository
# Match version pinned in ci.yml (verified 2026-04-30).
uses: actions/checkout@v6
- name: Initialize CodeQL
uses: github/codeql-action/init@v4
with:
languages: ${{ matrix.language }}
build-mode: ${{ matrix.build-mode }}
config-file: ./.github/codeql-config.yml
- name: Perform CodeQL analysis
uses: github/codeql-action/analyze@v4
with:
# Category disambiguates this advanced setup's SARIF uploads
# from any residual default-setup uploads. After default setup
# is disabled, this category is the canonical source of
# /language:* results in the Security tab.
category: "/language:${{ matrix.language }}"