From ada14d802ce867162f39f800c7dd8f8d9adb5e56 Mon Sep 17 00:00:00 2001 From: bdimitrov-netzine Date: Fri, 10 Jul 2026 11:13:07 +0300 Subject: [PATCH] ci: remove CodeQL code-scanning workflow Drop the weekly/push-to-main CodeQL Rust analysis. Removing it stops the scheduled + on-push runs and no new alerts will be produced going forward. Note: this only removes the advanced (workflow-based) setup. If GitHub's 'default' CodeQL setup is also enabled for the repo, or code-scanning is required by a branch-protection/org policy, that must be turned off in Settings > Code security separately. --- .github/workflows/codeql.yml | 86 ------------------------------------ 1 file changed, 86 deletions(-) delete mode 100644 .github/workflows/codeql.yml diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml deleted file mode 100644 index 5972cc9..0000000 --- a/.github/workflows/codeql.yml +++ /dev/null @@ -1,86 +0,0 @@ -name: CodeQL - -# Advanced setup: the default setup's language autodetection picked Java for this -# repo (no Java source exists here — the workspace is Rust), so this workflow pins -# the language explicitly instead. -# -# Rust analysis uses `build-mode: none` — CodeQL's Rust extractor uses -# rust-analyzer to resolve macros and run build scripts without a full -# `cargo build`, so no compile step is needed here (unlike pr.yaml's test/clippy -# jobs). System deps are still installed because the one `build.rs` in the -# workspace (crates/infrastructure/network-cli) and macro-heavy crates may need -# them to resolve correctly during extraction. - -permissions: - contents: read - -# Runs on push to main + weekly, not on every PR: a full Rust extraction takes -# ~40 min, CodeQL isn't a required check, and the Security > Code Scanning tab -# is populated from main analyses (PR runs only add inline diff annotations). -# Newly introduced issues are caught on merge to main + the weekly scan. -on: - push: - branches: [main] - schedule: - - cron: '0 6 * * 1' # 06:00 UTC every Monday - workflow_dispatch: - -concurrency: - group: codeql-${{ github.ref }} - cancel-in-progress: true - -jobs: - analyze: - name: Analyze (${{ matrix.language }}) - runs-on: ubuntu-latest - timeout-minutes: 60 - permissions: - contents: read - security-events: write - - strategy: - fail-fast: false - matrix: - include: - - language: rust - build-mode: none - - steps: - - name: Checkout repository - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - with: - fetch-depth: 1 - - - name: Install Rust 1.91.0 - uses: dtolnay/rust-toolchain@3c5f7ea28cd621ae0bf5283f0e981fb97b8a7af9 # master - with: - toolchain: 1.91.0 - - - name: Install build dependencies - run: | - sudo apt-get update - sudo apt-get install -y --no-install-recommends \ - build-essential cmake libclang-16-dev pkg-config libssl-dev libapr1-dev - - - name: Initialize CodeQL - uses: github/codeql-action/init@54f647b7e1bb85c95cddabcd46b0c578ec92bc1a # v4.36.3 - with: - languages: ${{ matrix.language }} - build-mode: ${{ matrix.build-mode }} - # Broader security coverage (default suite + extra security queries). - queries: security-extended - # Keep alerts on shipped code: drop test harnesses and fixtures. - # Note: inline #[cfg(test)] modules can't be path-excluded, but under - # build-mode: none the `test` cfg isn't enabled, so they aren't - # analyzed anyway — this targets the separate test dirs/crates. - config: | - paths-ignore: - - '**/tests/**' - - '**/benches/**' - - '**/examples/**' - - 'crates/testing/**' - - - name: Perform CodeQL analysis - uses: github/codeql-action/analyze@54f647b7e1bb85c95cddabcd46b0c578ec92bc1a # v4.36.3 - with: - category: "/language:${{ matrix.language }}"