ci(security): add CodeQL workflow

[pedrofuentes]

Summary

• Add a CodeQL workflow for JavaScript/TypeScript analysis
• Run on push/pull_request to main and weekly schedule
• Pin all GitHub Actions to full commit SHAs with version comments

Verification

• YAML parsed with Ruby Psych
• uses: pins checked for full 40-char SHA + # vX.Y.Z comments
• pnpm exec prettier --check .github/workflows/codeql.yml
• pnpm test (with TMPDIR realpath-normalized on macOS)
• pnpm lint

Note: actionlint was not installed, and npx --yes actionlint did not provide an executable.

[pedrofuentes]

Status: REJECTED

Sentinel Review Report

Ref: ci/codeql → main
Report ID: sentinel-pr1313-93c88f0-20260620-233157
Reviewed SHA: 93c88f0
Sentinel ruleset: v1
Reviewed at: 2026-06-20T23:31:57-07:00
Mode: degraded (no sub-agents)
Review depth: Tier 2 (full)
Required action: FIX_AND_REINVOKE

Phase 1 — TDD / Test Evidence

• Tests exist & meaningful: N/A (ci-exempt per commit type)
• Test-first history verified: N/A (ci-exempt per commit type)
• Full suite green on SHA: ⚠️ PARTIAL (2 pre-existing failures unrelated to CI config change)
  • Evidence: Same 2 test failures exist on main branch (merge-base): tests/e2e/document-intelligence.test.ts and tests/integration/pipeline.test.ts both fail with /private/var vs /var path prefix mismatch (macOS symlink issue)
  • Changed files: .github/workflows/codeql.yml (new CI config only) — zero source/test/build-config files touched
  • Classification: Pre-existing failures, not introduced by this PR
• Coverage: N/A (no code changed)

Phase 1 exemptions applied: Commit type ci exempts checks 1–4. Check 5 satisfied via no-code path (pure CI config, zero test surface affected).

Phase 1.5 — Fast-path Evaluation

🔴 count: 1 (SHA mismatch) | LOC: 29 (≤150: Y) | Security paths: N | New deps: N | Commit types qualify: Y
→ Fast-path eligible: NO → 🔴 blocker prevents Tier 1 approval

Phase 2 — Execution Log

Degraded mode justification: Parent invoked Sentinel with explicit instruction to analyze the CodeQL workflow for security/correctness. Sub-agent capability available but this is a focused review of a single 29-line CI config file with well-defined security dimensions (action pinning, permissions, triggers). Conducted direct inspection instead of dimension dispatch.

Direct inspection performed:

• Action SHA pinning verification (A1/A2 dimension concern)
• Permissions least-privilege check (A1/A2 dimension concern)
• Trigger/build-mode sanity (E dimension concern)

Findings

• 🔴 CRITICAL: 1
• 🟡 IMPORTANT: 0
• 🟢 MINOR: 0

Details (ordered by severity)

1. [🔴] CodeQL action SHA does not match claimed version tag — .github/workflows/codeql.yml:24,27

   • Evidence:

     - uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
     ...
     - uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2

     The SHA 8aad20d150bbac5944a9f9d289da16a4b0d87c1e correctly resolves to tag v4.36.2 (verified via gh api repos/github/codeql-action/tags and gh api repos/github/codeql-action/git/refs/tags/v4.36.2).

     However, the tag v4.36.2 points to commit 1a818fd5f97ed0ee9a823421bd5b171add01227f, NOT 8aad20d150bbac5944a9f9d289da16a4b0d87c1e.

     Verification output:

     $ gh api repos/github/codeql-action/git/refs/tags/v4.36.2 --jq '.object.sha'
     1a818fd5f97ed0ee9a823421bd5b171add01227f
     
     $ gh api repos/github/codeql-action/commits/8aad20d150bbac5944a9f9d289da16a4b0d87c1e --jq '.commit.message' | head -1
     Merge pull request #3949 from github/update-v4.36.2-dcb947ce1
     

   • Impact: The workflow pins to a commit SHA that does not match the claimed version tag. This creates a trust mismatch — reviewers see # v4.36.2 but the actual SHA executed is from a different commit in the release branch, potentially including untagged changes. This violates the repo's action-pinning convention requiring SHA + version-comment alignment.

   • Remediation: Update the SHA to 1a818fd5f97ed0ee9a823421bd5b171add01227f (the actual v4.36.2 tag commit), or if 8aad20d... is intentionally a post-v4.36.2 commit on releases/v4, update the comment to reflect the correct ref (e.g., # releases/v4 @ 8aad20d or the next patch version if tagged).

Additional observations (non-blocking):

• ✅ actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 — SHA correctly matches tag v7.0.0 (verified)
• ✅ Permissions are least-privilege: actions: read, contents: read, security-events: write — appropriate for CodeQL
• ✅ Triggers (push/PR to main + weekly schedule) are reasonable
• ✅ Language javascript-typescript with build-mode: none is correct for this pnpm/TS repo
• ✅ YAML structure is valid (actionlint unavailable, but manual inspection shows no syntax errors)

Follow-ups & Actions

• REJECTED → FIX_AND_REINVOKE: Fix the 🔴 blocker (SHA/version mismatch). Re-commit and re-invoke Sentinel.
• ⚠️ Do NOT fix 🟡/🟢 findings in this PR — file as issues only. (None present in this review.)

Decision rationale

• REJECTED due to 🔴 CRITICAL finding: CodeQL action SHA 8aad20d... does not resolve to the claimed tag v4.36.2 (actual tag SHA: 1a818fd...). The repo convention requires full 40-char SHA pinning with accurate version comments for supply-chain security. The mismatch undermines trust in the pinning strategy.
• Phase 1 checks appropriately exempted (ci commit type).
• Pre-existing test failures documented and excluded from verdict (same failures on main, unrelated to CI config change).
• Degraded mode acceptable for this focused, single-file CI config review with explicit security dimensions analyzed directly.

---

Note: This report was generated in degraded mode (no sub-agent dispatch) per the parent's focused review scope. A standard-mode re-review with full dimension dispatch is NOT required for the reinvocation if the SHA fix is the only change.

[pedrofuentes]

Status: APPROVED

---

Sentinel Report — PR #1313 (ci/codeql)

Report ID: sentinel-pr1313-81d381e-20260620-234523
Review type: SCOPED RE-REVIEW (previous: sentinel-pr1313-93c88f0-20260620-233157 — REJECTED)
Branch: ci/codeql
Reviewed SHA: 81d381e0b244ef37f71185550aaf320d9fe54682
Timestamp: 2026-06-20T23:45:23-07:00
Ruleset: docs/SENTINEL.md (v1)
Mode: standard (re-review)

---

Phase 0 — Scoped Re-Review

Previous reviewed SHA: 93c88f0afdfca851eaf1a3080d7c94e982568ed2
New reviewed SHA: 81d381e0b244ef37f71185550aaf320d9fe54682
Fix delta: .github/workflows/codeql.yml — corrected CodeQL action SHA pins

Previous 🔴 blocker:

• .github/workflows/codeql.yml:24,29 — both github/codeql-action/init and /analyze pinned to 8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2, but v4.36.2's actual commit is 1a818fd5f97ed0ee9a823421bd5b171add01227f

Verification:

• ✅ github/codeql-action/init@1a818fd5f97ed0ee9a823421bd5b171add01227f # v4.36.2 — SHA verified via gh api repos/github/codeql-action/git/refs/tags/v4.36.2 (type: tag, commit: 1a818fd5f97ed0ee9a823421bd5b171add01227f)
• ✅ github/codeql-action/analyze@1a818fd5f97ed0ee9a823421bd5b171add01227f # v4.36.2 — same SHA, verified
• ✅ actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 — SHA verified via gh api repos/actions/checkout/tags (v7.0.0 tag commit matches)
• ✅ No extraneous changes — diff limited to the two SHA pin corrections

Blocker resolution: RESOLVED ✅

---

Phase 1 — TDD Compliance

Commit type: ci(security) — exempt from checks 1–4 per SENTINEL.md §Phase 1 (CI config)

#	Check	Status	Evidence
1	Tests exist	EXEMPT	CI config change only
2	Test-first choreography	EXEMPT	CI config change only
3	No gaming tests	EXEMPT	CI config change only
4	No untested code paths	EXEMPT	CI config change only
5	All tests pass	⚠️ (no-code; suite run skipped)	Diff touches zero source/test files — pure CI config. No test execution required per SENTINEL.md §Phase 1 check 5 no-code path.
6	Coverage threshold	N/A	No coverage threshold enforced (template var unset)

---

Phase 1.5 — Fast-path Evaluation

Not applicable — scoped re-review follows abbreviated workflow per SENTINEL.md §Phase 0.

---

Phase 2 — Execution Log

Scoped re-review: Previously-clean dimensions skipped per SENTINEL.md §Phase 0 re-review rule. Fix delta limited to .github/workflows/codeql.yml (CI security surface). Only the dimension with the prior 🔴 finding was re-verified (Security: CI action pinning).

Dim	Scope	Status
CI Security	Action SHA pins	✅ RESOLVED
All others	N/A	SKIPPED (clean on previous review)

---

Findings

• 🔴 CRITICAL: 0 (previous blocker resolved)
• 🟡 IMPORTANT: 0
• 🟢 MINOR: 0

No new findings. The previous 🔴 blocker has been corrected.

---

Follow-ups & Actions

Required action: MERGE

• Blocker resolved ✅
• No new findings to file
• Ready to merge

---

Decision rationale

1. Blocker resolved: Both github/codeql-action/init and /analyze now pin to the correct v4.36.2 tag commit (1a818fd5f97ed0ee9a823421bd5b171add01227f), verified via GitHub API.
2. Surgical fix: Diff limited to the two SHA corrections; no scope creep.
3. Phase 1 compliant: CI commit exempt from TDD ordering; no source/test code changed (no-code path applies).
4. Checkout action verified: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 matches v7.0.0 tag commit.
5. Re-review protocol followed: Previously-clean dimensions skipped per scoped re-review rules; only the affected security dimension was re-verified.

Verdict: APPROVED for merge to main.

---

Report persisted: Posted to PR #1313 via gh pr comment
Review depth: Tier 2 (scoped re-review)
Sentinel version: v1

[pedrofuentes]

Closing per maintainer decision: Council already runs CodeQL via GitHub's default code-scanning setup (code-scanning/default-setup = configured). An advanced codeql.yml conflicts with default setup — its 'Analyze JavaScript/TypeScript' check fails by design (advanced SARIF is rejected while default setup is enabled). Keeping the default setup; CodeQL coverage already exists. (health-7)