From 6fb64d2022699e198ca96c1f7a4de01891facc83 Mon Sep 17 00:00:00 2001
From: Will Sarg <12886992+willsarg@users.noreply.github.com>
Date: Mon, 16 Feb 2026 23:25:57 -0500
Subject: [PATCH] Standardize security workflow and enhance CodeQL analysis
 (#473)

* fix(workflows): standardize runner configuration for security jobs

* ci(actionlint): add Blacksmith runner label to config

Add blacksmith-2vcpu-ubuntu-2404 to actionlint self-hosted-runner labels config
to suppress "unknown label" warnings during workflow linting.

This label is used across all workflows after the Blacksmith migration.

* Merge branch 'main' into devsecops

* fix(actionlint): adjust indentation for self-hosted runner labels

* Merge branch 'main' into devsecops

* feat(security): enhance security workflow with CodeQL analysis steps

* Merge branch 'main' into devsecops

* fix(security): update CodeQL action to version 4 for improved analysis

* Merge branch 'main' into devsecops
---
 .github/workflows/security.yml | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
index 30f0560..5571239 100644
--- a/.github/workflows/security.yml
+++ b/.github/workflows/security.yml
@@ -16,6 +16,8 @@ permissions:
     contents: read
     security-events: write
     actions: read
+    security-events: write
+    actions: read
 
 env:
     CARGO_TERM_COLOR: always
@@ -57,7 +59,7 @@ jobs:
               uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
             - name: Initialize CodeQL
-              uses: github/codeql-action/init@v3
+              uses: github/codeql-action/init@v4
               with:
                   languages: rust
 
@@ -68,4 +70,4 @@ jobs:
               run: cargo build --workspace --all-targets
 
             - name: Perform CodeQL Analysis
-              uses: github/codeql-action/analyze@v3
+              uses: github/codeql-action/analyze@v4