From c4564ed4cad04662b49644c2da4d5158c1d4ab40 Mon Sep 17 00:00:00 2001
From: Will Sarg <12886992+willsarg@users.noreply.github.com>
Date: Tue, 17 Feb 2026 00:10:46 -0500
Subject: [PATCH] Standardize security workflow and enhance CodeQL analysis
 (#479)

* fix(workflows): standardize runner configuration for security jobs

* ci(actionlint): add Blacksmith runner label to config

Add blacksmith-2vcpu-ubuntu-2404 to actionlint self-hosted-runner labels config
to suppress "unknown label" warnings during workflow linting.

This label is used across all workflows after the Blacksmith migration.

* fix(actionlint): adjust indentation for self-hosted runner labels

* feat(security): enhance security workflow with CodeQL analysis steps

* fix(security): update CodeQL action to version 4 for improved analysis

* fix(security): remove duplicate permissions in security workflow

* fix(security): revert CodeQL action to v3 for stability

The v4 version was causing workflow file validation failures.
Reverting to proven v3 version that is working on main branch.

* fix(security): remove duplicate permissions causing workflow validation failure

The permissions block had duplicate security-events and actions keys,
which caused YAML validation errors and prevented workflow execution.

Fixes: workflow file validation failures on main branch

* fix(security): remove pull_request trigger to reduce costs

* fix(security): restore PR trigger but skip codeql on PRs

* fix(security): resolve YAML syntax error in security workflow

* refactor(security): split CodeQL into dedicated scheduled workflow

* fix(security): update workflow name to Rust Package Security Audit

* fix(codeql): remove push trigger, keep schedule and on-demand only

* feat(codeql): add CodeQL configuration file to ignore specific paths
---
 .github/codeql/codeql-config.yml | 8 ++++++++
 .github/workflows/codeql.yml     | 1 +
 2 files changed, 9 insertions(+)
 create mode 100644 .github/codeql/codeql-config.yml

diff --git a/.github/codeql/codeql-config.yml b/.github/codeql/codeql-config.yml
new file mode 100644
index 0000000..5c82c1b
--- /dev/null
+++ b/.github/codeql/codeql-config.yml
@@ -0,0 +1,8 @@
+# CodeQL configuration for ZeroClaw
+#
+# We intentionally ignore integration tests under `tests/` because they often
+# contain security-focused fixtures (example secrets, malformed payloads, etc.)
+# that can trigger false positives in security queries.
+
+paths-ignore:
+    - tests/**
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 9899963..81210b2 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -27,6 +27,7 @@ jobs:
               uses: github/codeql-action/init@v4
               with:
                   languages: rust
+                  config-file: ./.github/codeql/codeql-config.yml
 
             - name: Set up Rust
               uses: dtolnay/rust-toolchain@stable