From 1e6f386a97e3de0b273b844504621f848d0f8eef Mon Sep 17 00:00:00 2001
From: Will Sarg <12886992+willsarg@users.noreply.github.com>
Date: Mon, 16 Feb 2026 23:57:59 -0500
Subject: [PATCH] Standardize security workflow and enhance CodeQL analysis
 (#477)

* fix(workflows): standardize runner configuration for security jobs

* ci(actionlint): add Blacksmith runner label to config

Add blacksmith-2vcpu-ubuntu-2404 to actionlint self-hosted-runner labels config
to suppress "unknown label" warnings during workflow linting.

This label is used across all workflows after the Blacksmith migration.

* fix(actionlint): adjust indentation for self-hosted runner labels

* feat(security): enhance security workflow with CodeQL analysis steps

* fix(security): update CodeQL action to version 4 for improved analysis

* fix(security): remove duplicate permissions in security workflow

* fix(security): revert CodeQL action to v3 for stability

The v4 version was causing workflow file validation failures.
Reverting to proven v3 version that is working on main branch.

* fix(security): remove pull_request trigger to reduce costs

* fix(security): restore PR trigger but skip codeql on PRs

* fix(security): resolve YAML syntax error in security workflow

* refactor(security): split CodeQL into dedicated scheduled workflow

* fix(security): update workflow name to Rust Package Security Audit

* fix(codeql): remove push trigger, keep schedule and on-demand only
---
 .github/workflows/codeql.yml   | 38 ++++++++++++++++++++++++++++++++++
 .github/workflows/security.yml | 24 +--------------------
 2 files changed, 39 insertions(+), 23 deletions(-)
 create mode 100644 .github/workflows/codeql.yml

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
new file mode 100644
index 0000000..9899963
--- /dev/null
+++ b/.github/workflows/codeql.yml
@@ -0,0 +1,38 @@
+name: CodeQL Analysis
+
+on:
+    schedule:
+        - cron: "0 6,18 * * *" # Twice daily at 6am and 6pm UTC
+    workflow_dispatch:
+
+concurrency:
+    group: codeql-${{ github.ref }}
+    cancel-in-progress: true
+
+permissions:
+    contents: read
+    security-events: write
+    actions: read
+
+jobs:
+    codeql:
+        name: CodeQL Analysis
+        runs-on: blacksmith-2vcpu-ubuntu-2404
+        timeout-minutes: 30
+        steps:
+            - name: Checkout repository
+              uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+
+            - name: Initialize CodeQL
+              uses: github/codeql-action/init@v4
+              with:
+                  languages: rust
+
+            - name: Set up Rust
+              uses: dtolnay/rust-toolchain@stable
+
+            - name: Build
+              run: cargo build --workspace --all-targets
+
+            - name: Perform CodeQL Analysis
+              uses: github/codeql-action/analyze@v4
diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
index 61f04c9..bf12c0f 100644
--- a/.github/workflows/security.yml
+++ b/.github/workflows/security.yml
@@ -1,4 +1,4 @@
-name: Security Audit
+name: Rust Package Security Audit
 
 on:
     push:
@@ -47,25 +47,3 @@ jobs:
             - uses: EmbarkStudios/cargo-deny-action@3fd3802e88374d3fe9159b834c7714ec57d6c979 # v2
               with:
                   command: check advisories licenses sources
-
-    codeql:
-        name: CodeQL Analysis
-        runs-on: blacksmith-2vcpu-ubuntu-2404
-        timeout-minutes: 30
-        steps:
-            - name: Checkout repository
-              uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
-
-            - name: Initialize CodeQL
-              uses: github/codeql-action/init@v4
-              with:
-                  languages: rust
-
-            - name: Set up Rust
-              uses: dtolnay/rust-toolchain@stable
-
-            - name: Build
-              run: cargo build --workspace --all-targets
-
-            - name: Perform CodeQL Analysis
-              uses: github/codeql-action/analyze@v4