B7: CodeQL workflow + pre-commit config#5
Conversation
CodeQL (.github/workflows/codeql.yml): GitHub-native static analysis for Python using the security-and-quality query suite. Triggers on push/PR to main plus a weekly schedule so dormant weeks still get a fresh scan. Findings show up under the Security tab. pre-commit (.pre-commit-config.yaml): runs locally before each commit. Hooks: - pre-commit-hooks: trailing-whitespace, end-of-file-fixer, check-yaml, check-toml, check-merge-conflict, check-added-large-files (500kb), detect-private-key - ruff-pre-commit: ruff --fix + ruff-format (same checks CI runs) So a clean local commit means a green lint run in CI. CONTRIBUTING.md updated with pre-commit install instructions. Smoke-tested locally: `pre-commit run --all-files` passes on the current tree.
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: a0fdef37c1
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| - id: detect-private-key | ||
|
|
||
| - repo: https://github.com/astral-sh/ruff-pre-commit | ||
| rev: v0.8.4 |
There was a problem hiding this comment.
This pins pre-commit Ruff at v0.8.4, but the CI lint job installs ruff without a version pin (.github/workflows/ci.yml line 18), so the two environments will drift. When CI picks up newer Ruff rules/format changes, commits can pass locally via pre-commit and still fail in CI, which breaks the stated “clean local commit ⇒ green CI” guarantee and creates avoidable churn for contributors.
Useful? React with 👍 / 👎.
2 participants
Summary
Two small security/quality additions:
1. CodeQL workflow (
.github/workflows/codeql.yml)GitHub-native static analysis for Python using the
security-and-qualityquery suite. Triggers on push/PR tomainplus a weekly schedule (Mondays 06:23 UTC) so dormant weeks still get a fresh scan. Findings surface under the repo's Security tab.2. pre-commit config (
.pre-commit-config.yaml)Runs locally before each commit. Hooks:
pre-commit-hooks:trailing-whitespace,end-of-file-fixer,check-yaml,check-toml,check-merge-conflict,check-added-large-files(500kb cap),detect-private-keyruff-pre-commit:ruff --fix+ruff-format(same checks CI runs)A clean local commit ⇒ a green lint run in CI.
CONTRIBUTING.mdupdated withpip install pre-commit && pre-commit installinstructions.Smoke test
Ran
pre-commit run --all-filesagainst the current tree on this branch — all 9 hooks pass.Stacked on #1
Based on
claude/audit-github-repo-EWQDn. Both files only depend on the ruff config that lives inpyproject.toml(added in #1). No conflicts expected with PR #2, #3, or #4 — different files entirely.Test plan
pre-commit installand have hooks fire on next commitGenerated by Claude Code