ci: add CodeQL Advanced security scanning workflow

[cheese-cakee]

Description

Adds security scanning via GitHub CodeQL to detect vulnerabilities in JavaScript/TypeScript source and GitHub Actions workflows.

Changes Made

• Added .github/workflows/codeql.yml — CodeQL Advanced workflow with matrix strategy analyzing javascript-typescript and actions languages
• Updated docs/07-github-automation.md — documented the new workflow

Related Issues

Closes #386

Checklist

• Tests added/updated (CodeQL is security scanning, not unit tests)
• Documentation updated
• Linting passes (YAML validated, follows repo conventions)
• Branch up-to-date with main

---

Summary by CodeRabbit

• Chores

  • Implemented automated security scanning in the continuous integration workflow. Vulnerability detection now runs on all pushes to the main branch, pull requests targeting main, and on a daily schedule.

• Documentation

  • Updated documentation explaining the automated security scanning process and what contributors should expect during code review.

[netlify]

✅ Deploy Preview for hiero-open-source ready!

Name	Link
🔨 Latest commit	63189f4
🔍 Latest deploy log	https://app.netlify.com/projects/hiero-open-source/deploys/69dd536e65064e0008619269
😎 Deploy Preview	https://deploy-preview-387--hiero-open-source.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[lfdt-bot]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[coderabbitai]

Warning

Rate limit exceeded

@cheese-cakee has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 49 minutes and 41 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 49 minutes and 41 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 5b221b64-b00c-42d1-af54-868462127750

📥 Commits

Reviewing files that changed from the base of the PR and between 36fcb44 and 63189f4.

📒 Files selected for processing (2)

• .github/workflows/codeql.yml
• docs/07-github-automation.md

📝 Walkthrough

Walkthrough

This pull request adds a CodeQL Advanced workflow to automatically scan GitHub Actions workflows and JavaScript/TypeScript code for security vulnerabilities. The workflow triggers on main branch pushes, pull requests, and daily schedules, with documentation added explaining the configuration and its impact on contributor expectations.

Changes

Cohort / File(s)	Summary
CodeQL Workflow Configuration .github/workflows/codeql.yml	Introduced a new GitHub Actions workflow file that runs CodeQL analysis on actions and javascript-typescript languages with the security-extended query suite. Configured with concurrency controls, scheduled triggers (daily at 23:28 UTC), and explicit handling for push/pull request events targeting the main branch, excluding markdown-only changes.
Documentation docs/07-github-automation.md	Updated documentation to describe the new CodeQL workflow, including trigger conditions, matrix-based language analysis configuration, and query suite selection. Added security-vulnerability detection to the "What Contributors Should Expect" section as a potential reason for PR rejection.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Poem

🐰 Hops of joy, whiskers twitch with cheer!
Security scans, vulnerabilities disappear!
CodeQL watches with a careful eye,
JavaScript and workflows pass on by—
Safe and sound, this workflow's a delight! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description check	✅ Passed	The pull request description covers all key sections of the template: description of purpose, changes made with checkboxes marked, related issues, and a completion checklist with appropriate explanations for non-standard items.
Linked Issues check	✅ Passed	The pull request fully addresses issue #386 by implementing a CodeQL workflow tailored for the hiero-website repository, analyzing javascript-typescript and actions languages as required, following existing project patterns.
Out of Scope Changes check	✅ Passed	All changes are directly aligned with the objective to add a CodeQL workflow and its documentation; no out-of-scope modifications were introduced.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Title check	✅ Passed	The title 'ci: add CodeQL Advanced security scanning workflow' directly and concisely describes the main change—adding a CodeQL security scanning workflow. It is clear, specific, and accurately reflects the primary objective of the PR.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

📋 Issue Planner

Built with CodeRabbit's Coding Plans for faster development and fewer bugs.

View plan used: #386

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codacy-production]

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

_{TIP This summary will be updated as you push new changes. Give us feedback}

[coderabbitai]

🧹 Nitpick comments (1)

.github/workflows/codeql.yml (1)

5-14: Add workflow_dispatch trigger for on-demand CodeQL scans.

Other workflows in this repository (e.g., ci.yml) already include this trigger. It's useful for incident response or quick validation after query/config tuning without waiting for scheduled runs or pushes.

🔧 Suggested update

 on:
   push:
     branches: ["main"]
   pull_request:
     branches: ["main"]
     paths-ignore:
       - "**/*.md"
   schedule:
     - cron: "28 23 * * *"
+  workflow_dispatch:

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/codeql.yml around lines 5 - 14, Update the CodeQL workflow
trigger block to allow manual runs by adding the workflow_dispatch event
alongside push, pull_request, and schedule; modify the top-level on: stanza in
.github/workflows/codeql.yml (the existing on: block) to include
workflow_dispatch so maintainers can trigger CodeQL scans on demand.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In @.github/workflows/codeql.yml:
- Around line 5-14: Update the CodeQL workflow trigger block to allow manual
runs by adding the workflow_dispatch event alongside push, pull_request, and
schedule; modify the top-level on: stanza in .github/workflows/codeql.yml (the
existing on: block) to include workflow_dispatch so maintainers can trigger
CodeQL scans on demand.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 7f0fd07b-7948-4155-981d-cef614006524

📥 Commits

Reviewing files that changed from the base of the PR and between 287d245 and 36fcb44.

📒 Files selected for processing (2)

• .github/workflows/codeql.yml
• docs/07-github-automation.md

[cheese-cakee]

The CodeQL check failures are expected until the default CodeQL setup is disabled in repo Settings > Code security.

I think someone with permission needs to switch from 'Default' to 'Advanced' (or disable it) since a custom codeql.yml now handles analysis.thankyou.