ci(codeql): switch to advanced workflow + drop default setup

[jbdevprimary]

Disables default-setup CodeQL (which only runs on push to default branch and weekly) and replaces it with a custom workflow that runs on push to all branches.

This unblocks pushes to feature branches when the Enterprise PRs ruleset code_scanning rule is active — default-setup never runs against feature-branch pushes, so the rule rejects them indefinitely with Waiting for Code Scanning results.

Maintained centrally at github.com/jbdevprimary/gh-fleet-sync.

Summary by CodeRabbit

• Chores
  • Added automated CodeQL analysis to improve code security and quality. Analysis runs on pushes, pull requests to main, and weekly schedules.

[gemini-code-assist]

Note

Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported.

[coderabbitai]

📝 Walkthrough

Walkthrough

A new GitHub Actions workflow for CodeQL static analysis has been added. The workflow triggers on pushes, pull requests to main, and a weekly schedule, analyzing both JavaScript/TypeScript and GitHub Actions code using the security-and-quality query suite.

Changes

CodeQL Workflow Configuration

Layer / File(s)	Summary
Workflow Structure \.github/workflows/codeql\.yml (lines 1–35)	Workflow named "CodeQL" with triggers for push (excluding dependabot/* and gh-readonly-queue/*), pull_request targeting main, and a weekly cron schedule. Concurrency is configured to cancel in-progress runs per ref.
Analysis Job Setup \.github/workflows/codeql\.yml (lines 36–55)	Job analyze runs with timeout of 360 minutes, read and security-events permissions, and a matrix strategy covering javascript-typescript and actions languages, both with build-mode set to none.
CodeQL Analysis Steps \.github/workflows/codeql\.yml (lines 56–71)	Three steps: checkout code via actions/checkout@v4, initialize CodeQL with selected languages and security-and-quality query suite, and run CodeQL analysis with a language-based category identifier.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Poem

🐰 A bunny hops through code with glee,
CodeQL now watches carefully!
Security scans and quality bright,
JavaScript, Actions—all held tight! ✨
Static analysis, our shields ignite! 🛡️

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly and accurately summarizes the main change: switching from default CodeQL setup to an advanced custom workflow configuration.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ci/codeql-advanced-setup

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[amazon-q-developer]

This PR successfully replaces the default CodeQL setup with an advanced workflow that addresses the Enterprise ruleset requirement. The workflow configuration is sound with proper triggers, permissions, and concurrency controls. No blocking issues identified.

---

You can now have the agent implement changes and create commits directly on your pull request's source branch. Simply comment with /q followed by your request in natural language to ask the agent to make changes.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/codeql.yml:
- Around line 56-70: Replace the mutable action tags used in the workflow
(actions/checkout@v4, github/codeql-action/init@v3,
github/codeql-action/analyze@v3) with their corresponding full-length immutable
commit SHAs; locate the steps named "Checkout", "Initialize CodeQL", and
"Perform CodeQL Analysis" in the workflow and update the uses: values to the
pinned commit SHAs for those action repositories, ensuring you copy the exact
full commit hashes from the official action repositories/releases and run a
quick workflow lint to verify syntax.
- Around line 17-27: Add the missing merge_group trigger to the workflow's
top-level on: configuration so the workflow also runs for merge queue events;
update the event list alongside existing keys ('push', 'pull_request',
'schedule') to include 'merge_group' (and mirror any required filters used for
pull_request if needed) so required checks report correctly when using the merge
queue.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 1d1c7a4f-1450-4bf4-a101-b26e6ae1964f

📥 Commits

Reviewing files that changed from the base of the PR and between 1d53193 and 221ea6e.

📒 Files selected for processing (1)

• .github/workflows/codeql.yml

Bot reviewer; nice-to-haves not blocking