ci: add CodeQL workflow

[nanotaboada]

Summary by CodeRabbit

• Chores
  • Added automated code analysis to CI to continuously monitor code quality and detect potential issues on pushes, pull requests, and on a weekly schedule.

[coderabbitai]

Walkthrough

A new GitHub Actions workflow, .github/workflows/codeql.yml, was added to run CodeQL analysis on pushes and pull requests to the master branch and on a weekly schedule, with a matrix that analyzes the actions and csharp languages.

Changes

Cohort / File(s)	Summary
CodeQL Workflow Configuration .github/workflows/codeql.yml	Adds a new GitHub Actions workflow named "CodeQL Advanced" that checks out the repo, initializes CodeQL for selected languages (actions, csharp), and runs CodeQL analysis on pushes, pull requests to master, and on a weekly schedule.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 2

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title follows Conventional Commits format with 'ci:' prefix, is descriptive and specific about adding a CodeQL workflow, and is well under the 80-character limit at 23 characters.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch ci/codeql-workflow

• 🛠️ sync documentation: Commit on current branch
• 🛠️ sync documentation: Create PR
• 🛠️ enforce http error handling: Commit on current branch
• 🛠️ enforce http error handling: Create PR
• 🛠️ idiomatic review: Commit on current branch
• 🛠️ idiomatic review: Create PR
• 🛠️ verify api contract: Commit on current branch
• 🛠️ verify api contract: Create PR

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

Tip

You can disable the changed files summary in the walkthrough.

Disable the reviews.changed_files_summary setting to disable the changed files summary in the walkthrough.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[coderabbitai]

🧹 Nitpick comments (1)

.github/workflows/codeql.yml (1)

32-41: Pin third-party actions to immutable commit SHAs.

Lines 32, 35, and 41 use floating major tags (@v4). Pinning to full-length commit SHAs ensures immutability and strengthens workflow supply-chain security. GitHub recommends this as the only way to guarantee action references cannot be modified or deleted by action maintainers.

Suggested hardening with current SHAs

-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5

-        uses: github/codeql-action/init@v4
+        uses: github/codeql-action/init@0d579ffd059c29b07949a3cce3983f0780820c98

-        uses: github/codeql-action/analyze@v4
+        uses: github/codeql-action/analyze@0d579ffd059c29b07949a3cce3983f0780820c98

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/codeql.yml around lines 32 - 41, Replace the floating
action refs with immutable commit SHAs: change uses: actions/checkout@v4, uses:
github/codeql-action/init@v4, and uses: github/codeql-action/analyze@v4 to the
corresponding full-length commit SHAs (obtained from each action's GitHub
repository) so the workflow references fixed commits; update the three uses:
lines to the SHA pins and verify the workflow still runs locally/CI after
swapping tags to the full commit identifiers.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In @.github/workflows/codeql.yml:
- Around line 32-41: Replace the floating action refs with immutable commit
SHAs: change uses: actions/checkout@v4, uses: github/codeql-action/init@v4, and
uses: github/codeql-action/analyze@v4 to the corresponding full-length commit
SHAs (obtained from each action's GitHub repository) so the workflow references
fixed commits; update the three uses: lines to the SHA pins and verify the
workflow still runs locally/CI after swapping tags to the full commit
identifiers.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 38e1f2cf-eec8-4add-a61a-142455028986

📥 Commits

Reviewing files that changed from the base of the PR and between 566fe8f and f33667c.

📒 Files selected for processing (1)

• .github/workflows/codeql.yml