创建codeql.yml

[fmllbai]

💻 变更类型 | Change Type

• feat
• fix
• refactor
• perf
• style
• test
• docs
• ci
• chore
• build

🔀 变更说明 | Description of Change

📝 补充信息 | Additional Information

Summary by CodeRabbit

• New Features
  • None.
• Bug Fixes
  • None.
• Chores
  • Added automated CodeQL security scanning via GitHub Actions, running on pushes, pull requests to main, and on a weekly schedule.
  • Covers JavaScript/TypeScript and Rust codebases to improve vulnerability detection with results surfaced in the repository’s security reports.
  • No user-facing changes or impact on application behavior.

[coderabbitai]

Walkthrough

Introduces a new GitHub Actions workflow (.github/workflows/codeql.yml) named “CodeQL Advanced” to run CodeQL analysis for JavaScript/TypeScript and Rust on pushes, pull requests to main, and a weekly schedule, with dynamic runner selection and standard permissions. Steps include checkout, CodeQL init, optional manual-build guidance, and analysis.

Changes

Cohort / File(s)	Summary of Changes
CI/CD Workflows .github/workflows/codeql.yml	Added CodeQL workflow with matrix for javascript-typescript and rust (build-mode: none), triggers on push/PR to main and weekly cron, dynamic macOS/Ubuntu runner selection, permissions set, steps for checkout, init, optional manual-build placeholder, and analyze; includes customization comments.

Sequence Diagram(s)

sequenceDiagram
    participant Dev as Developer
    participant GH as GitHub
    participant Runner as Actions Runner
    participant CodeQL as CodeQL Actions

    Dev->>GH: Push/PR to main (or weekly schedule)
    GH-->>Runner: Start "CodeQL Advanced" job (matrix per language)
    Runner->>Runner: Checkout repository
    Runner->>CodeQL: Initialize CodeQL (lang, build-mode none)
    alt build-mode manual (placeholder)
        Runner->>Runner: Emit guidance and fail
    else build-mode none
        Runner->>CodeQL: Analyze (language-scoped category)
        CodeQL-->>GH: Upload results (security alerts)
    end

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~7 minutes

Poem

I thump my paws on the CI ground,
New scans hop in without a sound.
Rust and TypeScript, carrot-bright,
CodeQL sniffs the bugs at night.
On cron or push, I take a leap—
Secure burrows, safe and deep. 🥕🐇

Tip

🔌 Remote MCP (Model Context Protocol) integration is now available!

Pro plan users can now connect to remote MCP servers from the Integrations page. Connect with popular remote MCPs such as Notion and Linear to add more context to your reviews and chats.

✨ Finishing Touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

• Visit our Status Page to check the current availability of CodeRabbit.
• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (4)

.github/workflows/codeql.yml (4)

30-31: Simplify runner selection expression (no Swift in matrix).

Since Swift isn’t in the matrix, this always evaluates to ubuntu-latest. Simplify for clarity.

-    runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }}
+    runs-on: ubuntu-latest

---

68-76: Pin action versions to commit SHAs and enable default security query packs.

• For supply-chain hardening, pin actions to immutable commit SHAs (GitHub security best practice).
• Enabling security-extended and security-and-quality increases findings coverage without custom packs.

-    - name: Initialize CodeQL
-      uses: github/codeql-action/init@v3
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@<commit-sha-for-v3>
       with:
         languages: ${{ matrix.language }}
         build-mode: ${{ matrix.build-mode }}
+        queries: security-extended,security-and-quality

And below:

-    - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v3
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@<commit-sha-for-v3>

If you want, I can fetch and suggest the current SHAs for these actions.

---

59-61: Use full history to improve detection quality in some CodeQL rules.

While not strictly required, using fetch-depth: 0 helps certain rules and baselining.

-    - name: Checkout repository
-      uses: actions/checkout@v4
+    - name: Checkout repository
+      uses: actions/checkout@v4
+      with:
+        fetch-depth: 0

---

42-58: Add concurrency controls to avoid duplicate in-flight analyses.

This prevents piling up runs on busy branches and saves CI minutes.

   analyze:
     name: Analyze (${{ matrix.language }})
+    concurrency:
+      group: codeql-${{ github.workflow }}-${{ github.ref }}-${{ matrix.language }}
+      cancel-in-progress: true

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these settings in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 995bef7 and 682130a.

📒 Files selected for processing (1)

• .github/workflows/codeql.yml (1 hunks)

🔇 Additional comments (3)

.github/workflows/codeql.yml (3)

31-41: Permissions look good and follow least privilege.

security-events: write is required; packages/actions/contents: read are acceptable for private/internal packs and private repos. No changes needed.

---

14-21: Confirm PR trigger behavior for forks.

On public repos, pull_request from forks runs with a read token; uploading SARIF may be skipped due to insufficient permissions. If you expect results on forked PRs, you’ll need a different pattern (e.g., push-based scanning post-merge, or carefully using pull_request_target with hardened checkout).

Do you want me to propose a safe fork-PR pattern (e.g., only analyze on push to default branch and nightly schedule), or keep current triggers?

---

81-96: Manual build fallback is correctly guarded and fails fast.

The guidance and explicit failure when build-mode is manual is clear and prevents silent misconfigurations.

[coderabbitai]

💡 Verification agent

🧩 Analysis chain

Drop Rust from the matrix (or switch to autobuild) to avoid failures and wasted minutes.

• This repo primarily contains JavaScript/TypeScript. Running a Rust job will add runtime with no benefit, and build-mode: none is typically not supported for compiled languages like Rust.
• If you actually have Rust code, prefer build-mode: autobuild and ensure the toolchain is available.

Option A — remove Rust entirely:

       matrix:
         include:
         - language: javascript-typescript
           build-mode: none
-        - language: rust
-          build-mode: none

Option B — keep Rust but switch to autobuild (and ensure toolchain):

         - language: rust
-          build-mode: none
+          build-mode: autobuild

To verify if Rust is present in the repo, run:

---

🏁 Script executed:

#!/bin/bash
# Detect Rust presence (source files or Cargo manifest).
fd -H -a -e rs -E "node_modules" -E "dist" -E "build"
fd -H -a "Cargo.toml" -E "node_modules" -E "dist" -E "build"

Length of output: 266

---

Keep Rust scanning — switch CodeQL rust entry to "autobuild" (Rust detected in repo)

Detected Rust at:

• src-tauri/Cargo.toml
• src-tauri/build.rs
• src-tauri/src/main.rs
• src-tauri/src/stream.rs

Do not drop Rust from the matrix. Change the CodeQL matrix entry for rust to use autobuild and ensure the Rust toolchain is available in the workflow.

Suggested change (file: .github/workflows/codeql.yml — around lines 46–50):

       matrix:
         include:
         - language: javascript-typescript
           build-mode: none
         - language: rust
-          build-mode: none
+          build-mode: autobuild

Also ensure the workflow installs a Rust toolchain (e.g., actions-rs/toolchain or similar) before CodeQL autobuild runs so the build succeeds.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- language: javascript-typescript
	build-mode: none
	- language: rust
	build-mode: none
	# CodeQL supports the following values keywords for 'language': 'actions', 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'rust', 'swift'
	- language: javascript-typescript
	build-mode: none
	- language: rust
	build-mode: autobuild
	# CodeQL supports the following values keywords for 'language': 'actions', 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'rust', 'swift'

🤖 Prompt for AI Agents

In .github/workflows/codeql.yml around lines 46 to 50, the workflow removed Rust
autobuild scanning; change the CodeQL matrix entry for rust from "build-mode:
none" back to "build-mode: autobuild" so Rust is scanned, and add a step prior
to the CodeQL autobuild analysis to install a Rust toolchain (for example using
actions-rs/toolchain or actions/setup-rust) so the autobuild can compile the
workspace; ensure the rust entry remains in the matrix and the toolchain
installation runs before the CodeQL autobuild step.