Improve CodeQL workflow configuration (PR #286) #287
Description
Context
PR #286 adds a CodeQL Advanced workflow for automated security scanning across actions, JavaScript/TypeScript, and Rust. This issue tracks recommended improvements before merging.
Recommendations
1. Remove boilerplate / template comments
The workflow file contains many default template comments from GitHub's CodeQL starter (e.g., Swift runner notes, manual build placeholder). These add noise and should be trimmed to keep the workflow readable and project-specific.
2. Manual build step will cause CI failure
The manual build mode step (lines 89-97) contains a hardcoded exit 1. While no matrix entry currently uses build-mode: manual, this is a footgun — if Rust analysis ever needs to switch to manual builds, CI will fail silently with a misleading error. Either remove the step entirely or replace the placeholder with actual build commands.
3. Consider restricting the schedule trigger
The weekly cron schedule (42 6 * * 0) runs against the default branch. This is fine, but confirm that the team wants weekly scheduled scans in addition to push/PR triggers — it consumes GitHub Actions minutes.
4. Rust CodeQL coverage is limited
CodeQL's Rust support is still in beta/preview. Consider whether additional Rust-specific security tooling (e.g., cargo audit, cargo deny) should complement CodeQL for dependency and vulnerability scanning.
5. Branch name typo
The branch is named feature/codql-workflow (missing the e in CodeQL). Minor, but worth noting if branch naming conventions matter.