Standardize security workflow and enhance CodeQL analysis (#477)

* fix(workflows): standardize runner configuration for security jobs * ci(actionlint): add Blacksmith runner label to config Add blacksmith-2vcpu-ubuntu-2404 to actionlint self-hosted-runner labels config to suppress "unknown label" warnings during workflow linting. This label is used across all workflows after the Blacksmith migration. * fix(actionlint): adjust indentation for self-hosted runner labels * feat(security): enhance security workflow with CodeQL analysis steps * fix(security): update CodeQL action to version 4 for improved analysis * fix(security): remove duplicate permissions in security workflow * fix(security): revert CodeQL action to v3 for stability The v4 version was causing workflow file validation failures. Reverting to proven v3 version that is working on main branch. * fix(security): remove pull_request trigger to reduce costs * fix(security): restore PR trigger but skip codeql on PRs * fix(security): resolve YAML syntax error in security workflow * refactor(security): split CodeQL into dedicated scheduled workflow * fix(security): update workflow name to Rust Package Security Audit * fix(codeql): remove push trigger, keep schedule and on-demand only
2026-02-16 23:57:59 -05:00 · 2026-02-16 23:57:59 -05:00 · 1e6f386a97
commit 1e6f386a97
parent 6b5307214f
2 changed files with 39 additions and 23 deletions
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@ -0,0 +1,38 @@
+name: CodeQL Analysis
+
+on:
+    schedule:
+        - cron: "0 6,18 * * *" # Twice daily at 6am and 6pm UTC
+    workflow_dispatch:
+
+concurrency:
+    group: codeql-${{ github.ref }}
+    cancel-in-progress: true
+
+permissions:
+    contents: read
+    security-events: write
+    actions: read
+
+jobs:
+    codeql:
+        name: CodeQL Analysis
+        runs-on: blacksmith-2vcpu-ubuntu-2404
+        timeout-minutes: 30
+        steps:
+            - name: Checkout repository
+              uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+
+            - name: Initialize CodeQL
+              uses: github/codeql-action/init@v4
+              with:
+                  languages: rust
+
+            - name: Set up Rust
+              uses: dtolnay/rust-toolchain@stable
+
+            - name: Build
+              run: cargo build --workspace --all-targets
+
+            - name: Perform CodeQL Analysis
+              uses: github/codeql-action/analyze@v4
--- a/.github/workflows/security.yml
+++ b/.github/workflows/security.yml
@ -1,4 +1,4 @@
-name: Security Audit
+name: Rust Package Security Audit

 on:
    push:
@ -47,25 +47,3 @@ jobs:
            - uses: EmbarkStudios/cargo-deny-action@3fd3802e88374d3fe9159b834c7714ec57d6c979 # v2
              with:
                  command: check advisories licenses sources
-
-    codeql:
-        name: CodeQL Analysis
-        runs-on: blacksmith-2vcpu-ubuntu-2404
-        timeout-minutes: 30
-        steps:
-            - name: Checkout repository
-              uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
-
-            - name: Initialize CodeQL
-              uses: github/codeql-action/init@v4
-              with:
-                  languages: rust
-
-            - name: Set up Rust
-              uses: dtolnay/rust-toolchain@stable
-
-            - name: Build
-              run: cargo build --workspace --all-targets
-
-            - name: Perform CodeQL Analysis
-              uses: github/codeql-action/analyze@v4