From 256a66fbaa90f576704f101aaf59672945795c68 Mon Sep 17 00:00:00 2001
From: Paulo Gomes <pjbgf@linux.com>
Date: Mon, 11 May 2026 06:49:40 +0100
Subject: [PATCH 1/2] Add CodeQL workflow to scan GitHub Actions

Runs CodeQL's actions language analysis with security-extended and
security-and-quality query suites on PRs that touch workflow or action
files, catching workflow injection and other supply-chain risks before
merge.

Assisted-by: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: Paulo Gomes <paulo@entire.io>
---
 .github/workflows/codeql-actions.yml | 35 ++++++++++++++++++++++++++++
 1 file changed, 35 insertions(+)
 create mode 100644 .github/workflows/codeql-actions.yml

diff --git a/.github/workflows/codeql-actions.yml b/.github/workflows/codeql-actions.yml
new file mode 100644
index 0000000000..96a8aa7a6b
--- /dev/null
+++ b/.github/workflows/codeql-actions.yml
@@ -0,0 +1,35 @@
+name: CodeQL (GitHub Actions)
+on:
+  workflow_dispatch:
+  pull_request:
+    paths:
+      - '.github/workflows/**'
+      - '.github/actions/**'
+
+permissions: {}
+
+jobs:
+  analyze:
+    name: Analyze workflows
+    runs-on: ubuntu-latest
+
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4.35.4
+        with:
+          languages: actions
+          queries: security-extended,security-and-quality
+
+      - name: Perform CodeQL analysis
+        uses: github/codeql-action/analyze@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4.35.4
+        with:
+          category: /language:actions

From 1d9070e27a54fbe3ea475628b4cfece8ab064033 Mon Sep 17 00:00:00 2001
From: Paulo Gomes <pjbgf@linux.com>
Date: Mon, 11 May 2026 06:58:02 +0100
Subject: [PATCH 2/2] Skip CodeQL SARIF upload on fork PRs

Fork PRs receive a read-only GITHUB_TOKEN, so the analyze step's upload
to the code-scanning API fails and turns the check red for external
contributors. Switch upload to never for fork PRs while still running
the analysis so findings appear in the job log.

Assisted-by: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: Paulo Gomes <paulo@entire.io>
Entire-Checkpoint: d86ffe2e995d
---
 .github/workflows/codeql-actions.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/workflows/codeql-actions.yml b/.github/workflows/codeql-actions.yml
index 96a8aa7a6b..dea0aee5c1 100644
--- a/.github/workflows/codeql-actions.yml
+++ b/.github/workflows/codeql-actions.yml
@@ -33,3 +33,7 @@ jobs:
         uses: github/codeql-action/analyze@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4.35.4
         with:
           category: /language:actions
+          # Fork PRs receive a read-only GITHUB_TOKEN, so SARIF upload to the
+          # code-scanning API would fail. Analyze still runs and surfaces
+          # findings in the job log; same-repo PRs upload as normal.
+          upload: ${{ github.event.pull_request.head.repo.full_name == github.repository && 'always' || 'never' }}