fix(ci): convert CodeQL workflow to no-op stub on Gitea (#156) #51

Merged

claude-ceo-assistant merged 1 commits from fix/codeql-stub-on-gitea-156 into main

2026-05-07 21:37:04 +00:00

Author SHA1 Message Date

Author	SHA1	Message	Date
claude-ceo-assistant	3a00dd236f	fix(ci): convert CodeQL workflow to no-op stub on Gitea (#156 ) All checks were successful Check merge_group trigger on required workflows / Required workflows have merge_group trigger (pull_request) Successful in 14s Details Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 14s Details CodeQL / Analyze (${{ matrix.language }}) (go) (pull_request) Successful in 4s Details CodeQL / Analyze (${{ matrix.language }}) (javascript-typescript) (pull_request) Successful in 4s Details CodeQL / Analyze (${{ matrix.language }}) (python) (pull_request) Successful in 5s Details CI / Detect changes (pull_request) Successful in 17s Details E2E API Smoke Test / detect-changes (pull_request) Successful in 15s Details E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 12s Details Handlers Postgres Integration / detect-changes (pull_request) Successful in 12s Details Lint curl status-code capture / Scan workflows for curl status-capture pollution (pull_request) Successful in 11s Details Retarget main PRs to staging / Retarget to staging (pull_request) Has been skipped Details Runtime PR-Built Compatibility / detect-changes (pull_request) Successful in 14s Details Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 17s Details CI / Platform (Go) (pull_request) Successful in 10s Details CI / Shellcheck (E2E scripts) (pull_request) Successful in 5s Details CI / Python Lint & Test (pull_request) Successful in 6s Details CI / Canvas (Next.js) (pull_request) Successful in 9s Details E2E API Smoke Test / E2E API Smoke Test (pull_request) Successful in 7s Details E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Successful in 11s Details Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Successful in 10s Details Runtime PR-Built Compatibility / PR-built wheel + import smoke (pull_request) Successful in 10s Details CI / Canvas Deploy Reminder (pull_request) Has been skipped Details Why --- PR #35 marked `continue-on-error: true` at the JOB level (correct YAML), but Gitea Actions 1.22.6 does NOT propagate job-level continue-on-error to the commit-status API — every matrix leg still posts `failure`. That keeps OVERALL=failure on every push to main + staging and blocks the auto-promote signal even when every other gate is green. Worse: the underlying CodeQL run never actually worked on Gitea. The github/codeql-action/init@v4 step calls api.github.com bundle endpoints (CLI download + query packs + telemetry) that Gitea does NOT proxy. Confirmed via live-tested run 1d/3101 on operator host: 2026-05-07T20:55:17 ::group::Run Initialize CodeQL with: languages: ${{ matrix.language }} queries: security-extended 2026-05-07T20:55:36 ::error::404 page not found 2026-05-07T20:55:50 Failure - Main Initialize CodeQL 2026-05-07T20:55:51 skipping Perform CodeQL Analysis (main skipped) 2026-05-07T20:55:51 :⚠️:No files were found at sarif-results/go/ The SARIF artifact upload was already a no-op (warning above) — the analyze step never wrote anything because init failed. So nothing of value is being lost by stubbing this out. What ---- - Convert the workflow to a single-step stub that emits success per matrix language (go, javascript-typescript, python). - Keep workflow `name: CodeQL` exactly (auto-promote-staging.yml line 67 keys on it as a workflow_run gate). - Keep job name template `Analyze (${{ matrix.language }})` and the 3-leg matrix exactly (commit-status context names + branch protection + #144 required-check-name parity). - Keep all four triggers (push / pull_request / merge_group / schedule) so merge_group required-checks parity holds. - Drop the codeql-action steps, the Autobuild step, the SARIF parse step, and the upload-artifact step — all four of those are now dead code (init can never succeed against Gitea's API surface). Policy ------ Per Hongming decision 2026-05-07 (#156): CodeQL is ADVISORY, not blocking, until a Gitea-compatible SAST pipeline lands. The header of the new workflow file documents this decision + lists the three re-enable options (self-hosted Semgrep, Sonatype, GitHub mirror) plus the compensating controls in place (secret-scan, block-internal- paths, lint-curl-status-capture, branch-protection-drift). Closes #156. Touches #142 (no capital-M Molecule-AI refs in this file — already lowercase per `e01077be`). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-07 14:26:57 -07:00

claude-ceo-assistant

3a00dd236f

fix(ci): convert CodeQL workflow to no-op stub on Gitea (#156 )

Check merge_group trigger on required workflows / Required workflows have merge_group trigger (pull_request) Successful in 14s

Details

Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 14s

Details

CodeQL / Analyze (${{ matrix.language }}) (go) (pull_request) Successful in 4s

Details

CodeQL / Analyze (${{ matrix.language }}) (javascript-typescript) (pull_request) Successful in 4s

Details

CodeQL / Analyze (${{ matrix.language }}) (python) (pull_request) Successful in 5s

Details

CI / Detect changes (pull_request) Successful in 17s

Details

E2E API Smoke Test / detect-changes (pull_request) Successful in 15s

Details

E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 12s

Details

Handlers Postgres Integration / detect-changes (pull_request) Successful in 12s

Details

Lint curl status-code capture / Scan workflows for curl status-capture pollution (pull_request) Successful in 11s

Details

Retarget main PRs to staging / Retarget to staging (pull_request) Has been skipped

Details

Runtime PR-Built Compatibility / detect-changes (pull_request) Successful in 14s

Details

Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 17s

Details

CI / Platform (Go) (pull_request) Successful in 10s

Details

CI / Shellcheck (E2E scripts) (pull_request) Successful in 5s

Details

CI / Python Lint & Test (pull_request) Successful in 6s

Details

CI / Canvas (Next.js) (pull_request) Successful in 9s

Details

E2E API Smoke Test / E2E API Smoke Test (pull_request) Successful in 7s

Details

E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Successful in 11s

Details

Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Successful in 10s

Details

Runtime PR-Built Compatibility / PR-built wheel + import smoke (pull_request) Successful in 10s

Details

CI / Canvas Deploy Reminder (pull_request) Has been skipped

Details

Why
---
PR #35 marked `continue-on-error: true` at the JOB level (correct YAML),
but Gitea Actions 1.22.6 does NOT propagate job-level continue-on-error
to the commit-status API — every matrix leg still posts `failure`. That
keeps OVERALL=failure on every push to main + staging and blocks the
auto-promote signal even when every other gate is green.

Worse: the underlying CodeQL run never actually worked on Gitea. The
github/codeql-action/init@v4 step calls api.github.com bundle endpoints
(CLI download + query packs + telemetry) that Gitea does NOT proxy.
Confirmed via live-tested run 1d/3101 on operator host:

    2026-05-07T20:55:17 ::group::Run Initialize CodeQL
      with: languages: ${{ matrix.language }}
            queries: security-extended
    2026-05-07T20:55:36 ::error::404 page not found
    2026-05-07T20:55:50 Failure - Main Initialize CodeQL
    2026-05-07T20:55:51 skipping Perform CodeQL Analysis (main skipped)
    2026-05-07T20:55:51 :⚠️:No files were found at sarif-results/go/

The SARIF artifact upload was already a no-op (warning above) — the
analyze step never wrote anything because init failed. So nothing of
value is being lost by stubbing this out.

What
----
- Convert the workflow to a single-step stub that emits success per
  matrix language (go, javascript-typescript, python).
- Keep workflow `name: CodeQL` exactly (auto-promote-staging.yml
  line 67 keys on it as a workflow_run gate).
- Keep job name template `Analyze (${{ matrix.language }})` and the
  3-leg matrix exactly (commit-status context names + branch
  protection + #144 required-check-name parity).
- Keep all four triggers (push / pull_request / merge_group /
  schedule) so merge_group required-checks parity holds.
- Drop the codeql-action steps, the Autobuild step, the SARIF parse
  step, and the upload-artifact step — all four of those are now
  dead code (init can never succeed against Gitea's API surface).

Policy
------
Per Hongming decision 2026-05-07 (#156): CodeQL is ADVISORY, not
blocking, until a Gitea-compatible SAST pipeline lands. The header
of the new workflow file documents this decision + lists the three
re-enable options (self-hosted Semgrep, Sonatype, GitHub mirror)
plus the compensating controls in place (secret-scan, block-internal-
paths, lint-curl-status-capture, branch-protection-drift).

Closes #156. Touches #142 (no capital-M Molecule-AI refs in this
file — already lowercase per e01077be).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-07 14:26:57 -07:00

fix(ci): convert CodeQL workflow to no-op stub on Gitea (#156) #51

1 Commits