ci: remove stray codeql.yml workflow

[don-petry]

Summary

• Deletes .github/workflows/codeql.yml (36 lines)
• The org now uses GitHub-managed CodeQL default setup
• Per-repo workflow files are drift and run duplicate analysis alongside the default setup

Closes #93

Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Removed CodeQL scanning workflow from GitHub Actions configuration.

[coderabbitai]

Warning

Review limit reached

@don-petry, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 59 minutes and 59 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 98e346a1-8cde-4279-89f3-cecd1f198fed

📥 Commits

Reviewing files that changed from the base of the PR and between bcb8486 and 2123a7c.

📒 Files selected for processing (1)

• .gitignore

📝 Walkthrough

Walkthrough

Removes the repository's CodeQL GitHub Actions workflow to comply with organizational standards that now use GitHub-managed default setup instead of per-repo workflow configurations.

Changes

Cohort / File(s)	Summary
CI Workflows .github/workflows/codeql.yml	Deleted CodeQL scanning workflow that configured analysis on push, pull requests, and weekly schedule to eliminate duplicate scanning with managed default setup.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related PRs

• fix: add code-quality repository ruleset (closes #51) #77: Removes the same CodeQL workflow file but introduces rulesets that reference the CodeQL "Analyze (actions)" status check, creating a potential conflict that may need resolution.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title concisely describes the main change: removing a stray codeql.yml workflow file, which directly matches the primary objective.
Linked Issues check	✅ Passed	The pull request successfully deletes the stray codeql.yml workflow as required by issue #93, achieving full compliance with the organization's CodeQL default setup standard.
Out of Scope Changes check	✅ Passed	The pull request contains only the deletion of .github/workflows/codeql.yml, which is directly scoped to and required by issue #93 with no extraneous changes.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch claude/issue-93-20260419-1732

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[don-petry]

Self-review

The change is minimal and precise:

• Deletes only .github/workflows/codeql.yml (36 lines)
• No exceptions apply — the workflow used the default build mode, only scanned the actions language, and had no custom query pack or path filters, so there is no reason to keep it

CI is running; no other files were touched.

@don-petry — you're the code owner for this repo. Once CI is green, please review and merge to close the compliance finding.

[Copilot]

Pull request overview

Removes the repository-local CodeQL GitHub Actions workflow to avoid duplicating analysis now that the org uses GitHub-managed CodeQL default setup.

Changes:

• Deletes .github/workflows/codeql.yml to eliminate the redundant CodeQL workflow.

Comments suppressed due to low confidence (1)

.github/workflows/codeql.yml:1

• Deleting this workflow removes the "Analyze (actions)" check run that it produced. This repo still documents/enforces required status checks via .github/scripts/apply-code-quality-ruleset.sh, which currently references context "Analyze (actions)" derived from this workflow; if that ruleset (or any branch protection) is active, merges will be blocked once this workflow is gone. Please update the required check context to match the GitHub-managed CodeQL default setup check name (or remove the requirement) as part of this change.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[don-petry]

Automated review — NEEDS HUMAN REVIEW

Risk: MEDIUM
Reviewed commit: bcb84866df760bbffbf544df457f1618aaccdae8
Cascade: triage → deep (see triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6 for models)

Summary

PR deletes the per-repo codeql.yml workflow to comply with org standard (issue #93). All CI checks pass and the change is minimal and well-scoped. However, .github/scripts/apply-code-quality-ruleset.sh lists 'Analyze (actions)' — the check produced exclusively by the deleted workflow — as a required status check in the code-quality branch ruleset; once merged, that check will never run again on future PRs, which could permanently block all subsequent merges if the active ruleset has not already been updated to use the managed-CodeQL check name ('CodeQL').

Findings

Major

• .github/scripts/apply-code-quality-ruleset.sh:48 — apply-code-quality-ruleset.sh requires the 'Analyze (actions)' status check (line ~48), which is produced only by the codeql.yml workflow being deleted here. After merge, that check will never run again. If the active branch ruleset still requires it, all future PRs will be permanently blocked. The PR should either (a) update the ruleset script to replace 'Analyze (actions)' with 'CodeQL' (the managed-setup check name visible in this PR's own statusCheckRollup) and re-apply the ruleset, or (b) confirm that the canonical org-level ruleset management (petry-projects/.github/scripts/apply-rulesets.sh) has already been updated and the repo ruleset reflects the new check name.

Info

• Copilot review flagged the same ruleset/required-check conflict as a low-confidence comment; the thread was suppressed but the concern is substantiated by reading the ruleset script.
• GitHub-managed CodeQL ('CodeQL' check, conclusion: SUCCESS) and SonarCloud both ran cleanly on this PR. Deleting the per-repo workflow does not create a CodeQL coverage gap — the managed setup already provides equivalent scanning.
• .github/workflows/codeql.yml — Change directly satisfies issue #93 (stray-codeql-workflow compliance finding). No exceptions apply: the deleted workflow used default build mode, only scanned the 'actions' language, and had no custom query pack or path filters.

CI status

All CI checks passed on the reviewed commit. The concern is not current CI failure but a post-merge ruleset conflict that would affect future PRs.

---

Reviewed by the don-petry PR-review cascade (triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6). Reply with @don-petry if you need a human.

[don-petry]

Review — fix requested (cycle 1/3)

The automated review identified the following issues. Please address each one:

Findings to fix

• [major] .github/scripts/apply-code-quality-ruleset.sh:48 — apply-code-quality-ruleset.sh requires the Analyze (actions) status check, which is produced only by the codeql.yml workflow being deleted here. After merge, that check will never run again and could permanently block all future PRs. Please either (a) update the ruleset script to replace Analyze (actions) with CodeQL (the managed-setup check name) and re-apply the ruleset, or (b) confirm that the org-level ruleset management (petry-projects/.github/scripts/apply-rulesets.sh) has already been updated and the repo ruleset reflects the new check name.

Additional tasks

1. Resolve all unresolved review thread comments from other reviewers
2. Ensure all CI checks pass after your changes
3. Rebase on main if the branch is behind
4. Do NOT modify files unrelated to the findings above

The review cascade will automatically re-review after new commits are pushed.

[github-actions]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved manually.

Please resolve the conflicts and push:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

@dev-lead - please fix this PR

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Dev-Lead — review-changes (applied)

Changes committed and pushed.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud