ci: add CodeQL workflow for Go (SAST)

[myasnikovdaniil]

What this PR does

Raises the OpenSSF Scorecard SAST check (was 0/10) by adding GitHub's recommended CodeQL static analysis for Go. CodeQL is free for public repositories and is the SAST tool Scorecard recognizes directly.

• Triggers on push to main, PRs to main, and a weekly schedule (Mon 03:27 UTC, offset from the other Monday cron jobs).
• Results are uploaded to the code-scanning dashboard via github/codeql-action/analyze.

Why autobuild

The Go analysis uses build-mode: autobuild. Go's CodeQL extractor only supports autobuild or manual (not none), so autobuild is the low-friction choice. It discovers every go.mod in the tree and extracts each module separately — the root module, api/apps/v1alpha1, and the three nested image modules a root go build ./... never reaches — giving broader coverage than a single root build. Before falling back to the Go build it first attempts make from the repo root, which runs the default Makefile goal (including a network git fetch upstream --tags). setup-go pins the toolchain to the go.mod version so the extractor uses the project's Go rather than whatever the runner ships.

Security posture

• Top-level token is read-only; the analyze job opts into security-events: write (plus contents: read, actions: read) only.
• actions/checkout is pinned to v6.0.2 (matching scorecard.yml) with persist-credentials: false.
• codeql-action/init and /analyze are pinned to the v4.36.2 SHA — the same commit as scorecard.yml's upload-sarif, keeping every codeql-action ref in the repo on one commit and clear of the v3 deprecation warning.

Verification

• actionlint: exit 0.
• Valid YAML.
• No run: steps → no untrusted-input injection surface.

SAST is a ramping check: Scorecard credits the CodeQL workflow's presence immediately and the score climbs toward full as subsequent merged PRs get analyzed.

Release note

ci: add CodeQL static analysis (SAST) for Go, running on push/PR to main and weekly

Summary by CodeRabbit

• Chores
  • Enabled automated security scanning via CodeQL on pushes, pull requests targeting the main branch, and on a weekly schedule.
  • Added workflow controls for concurrency and longer execution time, with support for Go-based analysis using an autobuild setup.
  • Updated the SARIF upload step to use the latest CodeQL action version to improve reliability while maintaining secure, minimal permissions.

[gemini-code-assist]

Note

Gemini is unable to generate a summary for this pull request due to the file types involved not being currently supported.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 6b8232f3-8047-46e8-b8a8-ad2d348f8c60

📥 Commits

Reviewing files that changed from the base of the PR and between 0d6aaf9 and 89b6c40.

📒 Files selected for processing (2)

• .github/workflows/codeql.yml
• .github/workflows/scorecard.yml

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/codeql.yml

---

📝 Walkthrough

Walkthrough

Adds a new GitHub Actions CodeQL workflow that runs on pushes and pull requests to main and weekly, configures workflow-level read permissions, job-level security-events write permission, concurrency cancellation, a Go CodeQL matrix, and pinned CodeQL action SHAs. Also updates the scorecard workflow to use CodeQL action v4.36.2.

Changes

CodeQL and Security Scanning Workflows

Layer / File(s)	Summary
CodeQL workflow metadata and triggers .github/workflows/codeql.yml	Workflow name and triggers for main (push, pull_request) and a weekly cron; default workflow permissions set to contents: read; concurrency group keyed by workflow and ref to cancel duplicate runs.
CodeQL analyze job setup .github/workflows/codeql.yml	Introduces the analyze job running on ubuntu-latest with a 120-minute timeout, job permissions including security-events: write, and a CodeQL matrix for Go with build-mode: autobuild and fail-fast: false.
CodeQL job steps: checkout, Go setup, init, analyze .github/workflows/codeql.yml	Steps check out the repo without persisting credentials, set up Go from go.mod (cache disabled), initialize CodeQL for the matrix language/build-mode using pinned github/codeql-action/init@v4.36.2, and run analysis with pinned github/codeql-action/analyze@v4.36.2 using category: /language:${{ matrix.language }}.
Scorecard SARIF upload action version bump .github/workflows/scorecard.yml	Upload SARIF step updated to use github/codeql-action/upload-sarif@v4.36.2 instead of v3, aligning with the CodeQL action versions used in the new workflow.

Sequence Diagram

sequenceDiagram
  participant GitHub as GitHub (event)
  participant Runner as Actions Runner
  participant Checkout as actions/checkout
  participant SetupGo as actions/setup-go
  participant CodeQLInit as codeql-action/init
  participant CodeQLAnalyze as codeql-action/analyze

  GitHub->>Runner: trigger workflow (push/PR/cron)
  Runner->>Checkout: checkout repository (persist-credentials: false)
  Runner->>SetupGo: setup Go from go.mod
  Runner->>CodeQLInit: init CodeQL (Go, autobuild)
  Runner->>CodeQLAnalyze: run CodeQL analysis
  CodeQLAnalyze->>GitHub: upload security events

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• cozystack/cozystack#2720: Both PRs modify github/codeql-action/upload-sarif version and pinned commit hash in .github/workflows/scorecard.yml.
• cozystack/cozystack#2721: Both PRs update the github/codeql-action/upload-sarif action to v4.36.2 in .github/workflows/scorecard.yml.

Suggested labels

security, area/ci

Suggested reviewers

• kvaps
• lllamnyp
• lexfrei
• androndo
• IvanHunters
• sircthulhu

Poem

🐰 A rabbit hops through CI's glade,
CodeQL checks the paths we've made.
Go modules set, the scans commence,
Security events, permissions dense.
A tiny hop for safer code, hooray!

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'ci: add CodeQL workflow for Go (SAST)' clearly and concisely summarizes the main change: adding a CodeQL static analysis workflow for Go to the CI/CD configuration.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ci/scorecard-codeql

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-advanced-security]

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

• The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
• Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
• You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

[Aleksei Sviridkin (lexfrei)]

NOT LGTM — the workflow itself runs green and the hardening (read-only token, SHA pins, persist-credentials: false) checks out, but it pins a CodeQL Action major that its own run already flags as deprecated, and the in-file comments contradict the observed runtime behavior.

Business context: raises the OpenSSF Scorecard SAST check (currently 0/10) by adding GitHub's CodeQL analysis for Go, the SAST tool Scorecard credits directly.

Blockers

B1: codeql-action pinned to v3, which is already on a deprecation path; v4 is GA

File: .github/workflows/codeql.yml:60,66 (and .github/workflows/scorecard.yml:53)
Issue: both init and analyze pin github/codeql-action@03e4368a (v3.36.0).
Evidence: this PR's own green run prints ##[warning]CodeQL Action v3 will be deprecated in December 2026. Please update all occurrences of the CodeQL Action in your workflow files to v4.
Impact: a brand-new workflow ships with a warning in every run and a guaranteed follow-up PR within months. The warning says "all occurrences": scorecard.yml:53 pins upload-sarif to the same v3 SHA — same fix, same PR.
Fix: bump all three occurrences to the current v4 SHA; verify the rerun is green with no deprecation warning.

B2: in-file comments contradict what the job actually does

File: .github/workflows/codeql.yml:39-43 and :9-10
Issue: the autobuild comment claims it "runs the Go build the same way go build ./... does". The run log shows otherwise: the autobuilder discovered all 5 go.mod files and extracted each module separately (root, api/apps/v1alpha1, plus three nested image modules go build ./... from the root would never touch), and before that it tried make, executing the root Makefile's default goal — which on a depth-1 checkout added an upstream remote and ran a network git fetch upstream --tags (dozens of [new branch] ... -> upstream/... lines in the log). Separately, the cron comment calls stale a Monday job, but stale.yaml runs 37 4 * * * — daily.
Evidence: run 27197771777 logs (extractor invoked per-module; fetch lines), stale.yaml schedule in main.
Impact: the comments are the only documentation of this workflow's behavior; a future maintainer reading them concludes coverage is narrower than it is and misses that the job executes the repo Makefile with network side effects.
Fix: rewrite the autobuild comment to state: autobuild discovers every go.mod and extracts each module (nested image modules included) and attempts make from the repo root; fix or drop the stale reference in the cron comment.

Non-blocking follow-ups

1. The PR body still argues for build-mode: none ("Why build-mode: none" section), but the branch switched to autobuild in its second commit — please update the body so the recorded rationale matches what ships.
2. actions/checkout is pinned to v4.3.1 while scorecard.yml — the only other SHA-pinned workflow — is on v6; for a new file consider starting at v6 so the security workflows track one version.
3. concurrency.group: codeql-${{ github.workflow }}-${{ github.ref }} expands to codeql-CodeQL-<ref> — the hardcoded prefix duplicates the workflow name. Cosmetic.
4. No paths filter means ~5 min of CodeQL on every PR including Helm/docs-only ones. That matches GitHub's own guidance (path filters break required-check semantics), just noting it as a known tradeoff.

Verified while reviewing: all three SHA pins resolve to the tags their comments claim (checkout v4.3.1, setup-go v5.6.0, codeql-action v3.36.0); the Analyze (go) job passed on this PR's HEAD in 5m1s with SARIF uploaded; coverage is actually better than the comment claims (all 5 modules extracted); go-version-file: go.mod is consistent across all module files (go 1.26.2).

[Aleksei Sviridkin (lexfrei)]

This PR's own run warns: CodeQL Action v3 will be deprecated in December 2026... update all occurrences to v4. Current v4 is GA — please pin the v4 SHA here, on analyze below, and on upload-sarif in scorecard.yml:53 (same SHA, same warning).

[myasnikovdaniil]

Done in e40db8c — init, analyze, and scorecard.yml's upload-sarif are now pinned to the v4.36.2 commit SHA (8aad20d), the current GA release, so the v3 deprecation warning is gone.

[Aleksei Sviridkin (lexfrei)]

The run log contradicts this comment: autobuild discovered all 5 go.mod files and extracted each module separately (including the three nested image modules that go build ./... from the root never touches), and it first attempted make, which executed the root Makefile and ran a network git fetch upstream --tags on the runner. Coverage is better than stated, but the mechanism is different — please rewrite to describe the actual behavior.

[myasnikovdaniil]

Rewritten in 445a2fb. The comment now states autobuild discovers every go.mod and extracts each module separately (root, api/apps/v1alpha1, and the three nested image modules a root go build ./... never reaches), and that it first attempts make from the repo root — which runs the default Makefile goal, including the network git fetch upstream --tags — before falling back to the Go build.

[Aleksei Sviridkin (lexfrei)]

stale.yaml runs 37 4 * * * — daily, not Mondays. The 03:27 Monday slot itself is fine; just fix the comment.

[myasnikovdaniil]

Fixed in 6b12123. The comment now lists scorecard (06:00 Mon) and labels (04:17 Mon) as the Monday jobs and notes stale (04:37) runs daily.

[myasnikovdaniil]

Aleksei Sviridkin (@lexfrei) Thanks for the detailed review — all three blockers are addressed, plus the non-blocking follow-ups:

• B1 (e40db8c): init/analyze and scorecard.yml's upload-sarif now pin v4.36.2 (8aad20d); the v3 deprecation warning is gone.
• B2 (445a2fb, 6b12123): the autobuild comment now documents per-module extraction across all five go.mod files and the make → git fetch upstream --tags side effect; the cron comment no longer calls stale a Monday job.
• NB1: PR body updated — the "Why autobuild" section now matches what ships (it still argued build-mode: none).
• NB2 (89b6c40): actions/checkout bumped to v6.0.2 to match scorecard.yml.
• NB3 (89b6c40): dropped the redundant codeql- concurrency prefix.
• NB4: left as-is — agreed, path filters break required-check semantics, so running on every PR is the right tradeoff.

PTAL.

[Aleksei Sviridkin (lexfrei)]

LGTM — both blockers from my prior review are resolved and verified at HEAD; one new minor warning remains, non-blocking.

Business context: raises the OpenSSF Scorecard SAST check (was 0/10) by adding GitHub's CodeQL static analysis for Go.

Resolved since the last review

• B1 (codeql-action v3 deprecation) — init + analyze (codeql.yml) and upload-sarif (scorecard.yml) are now all pinned to 8aad20d # v4.36.2. Verified the pin is genuine: the v4.36.2 annotated tag peels to commit 8aad20d… and the tags API confirms 8aad20d carries v4.36.2 + v4. The HEAD run (Analyze (go), run 27817668316) is green in 5m2s and its annotations no longer contain the CodeQL Action v3 will be deprecated warning.
• B2 (comments contradicted runtime behavior) — the autobuild comment now states it discovers every go.mod, extracts each module (root, api/apps/v1alpha1, the three nested image modules) and first attempts make from the repo root (network git fetch upstream --tags) before the Go build; the cron comment now correctly labels stale as a daily 04:37 job. Both match the observed run.
• Prior non-blocking items also addressed: the body rationale switched to "Why autobuild"; actions/checkout pinned to de0fac2e # v6.0.2 (matches scorecard.yml); the concurrency.group dropped the redundant codeql- prefix.

Verified pins at HEAD: checkout de0fac2e = v6.0.2, setup-go 40f1582b = v5.6.0, codeql-action 8aad20d = v4.36.2 (all three refs).

Non-blocking follow-up

1. The HEAD run still emits one warning per run: actions/setup-go@40f1582b (v5.6.0) targets Node 20 and is force-run on Node 24 (GitHub's Sept-2025 Node-20 runner deprecation). actions/setup-go@v6.4.0 runs on Node 24 natively — bumping clears the last "warning in every run", in the same spirit as the codeql v4 bump that fixed B1. Ecosystem-wide rather than specific to this PR, so purely optional.