From 82e96b5c10d82aa053e14d7a03731c464740faa6 Mon Sep 17 00:00:00 2001 From: Matthew Fishman Date: Mon, 4 May 2026 19:12:09 -0400 Subject: [PATCH 1/2] Add CodeQL.yml caller workflow + template Calls the new path-aware CodeQL Actions analysis reusable from ITensorActions v2.1.0. Skips analysis on PRs that don't touch .github/workflows (reports success), runs full analysis on workflow-touching PRs, and reports `skipped` on fork PRs that touch workflow files (so auto-merge can't fire and a maintainer must intervene). Replaces the consumer-side CodeQL default-setup that the 2026-05-04 audit ruleset sweep made required. Default-setup deliberately skips fork PRs from external contributors as a security measure, leaving the required `Analyze (actions)` check unreachable on those PRs. The new caller-driven workflow reports a status check that's reachable across PR types, with the right behavior matrix per fork/workflow-touch combination. Resulting status-check name: `CodeQL / Analyze (actions)`. Branch rulesets need to require this string instead of the default-setup `Analyze (actions)` once consumers swap over. Both copies updated per the ITensorPkgSkeleton convention: .github/workflows/CodeQL.yml is the actual workflow this skeleton repo uses, and template/.github/workflows/CodeQL.yml.template is what MassApplyPatch installs into consumer repos during sweeps. Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/workflows/CodeQL.yml | 13 +++++++++++++ template/.github/workflows/CodeQL.yml.template | 13 +++++++++++++ 2 files changed, 26 insertions(+) create mode 100644 .github/workflows/CodeQL.yml create mode 100644 template/.github/workflows/CodeQL.yml.template diff --git a/.github/workflows/CodeQL.yml b/.github/workflows/CodeQL.yml new file mode 100644 index 0000000..d2fcb68 --- /dev/null +++ b/.github/workflows/CodeQL.yml @@ -0,0 +1,13 @@ +name: "CodeQL" +on: + pull_request: + branches: + - "main" +permissions: + contents: "read" + security-events: "write" + actions: "read" +jobs: + codeql: + name: "CodeQL" + uses: "ITensor/ITensorActions/.github/workflows/CodeQL.yml@v2" diff --git a/template/.github/workflows/CodeQL.yml.template b/template/.github/workflows/CodeQL.yml.template new file mode 100644 index 0000000..d2fcb68 --- /dev/null +++ b/template/.github/workflows/CodeQL.yml.template @@ -0,0 +1,13 @@ +name: "CodeQL" +on: + pull_request: + branches: + - "main" +permissions: + contents: "read" + security-events: "write" + actions: "read" +jobs: + codeql: + name: "CodeQL" + uses: "ITensor/ITensorActions/.github/workflows/CodeQL.yml@v2" From 959d1404b6f671b4fff360849df090ab20e10ed4 Mon Sep 17 00:00:00 2001 From: Matthew Fishman Date: Mon, 4 May 2026 19:16:33 -0400 Subject: [PATCH 2/2] Bump version to 0.3.60 Patch bump for the CodeQL.yml caller workflow + template addition. Co-Authored-By: Claude Opus 4.7 (1M context) --- Project.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Project.toml b/Project.toml index 55b08f4..103abfd 100644 --- a/Project.toml +++ b/Project.toml @@ -1,6 +1,6 @@ name = "ITensorPkgSkeleton" uuid = "3d388ab1-018a-49f4-ae50-18094d5f71ea" -version = "0.3.59" +version = "0.3.60" authors = ["ITensor developers and contributors"] [workspace]