ci: add CodeQL static analysis workflow

[mprpic]

Pull Request Description

What

Add CodeQL SAST for Python to run on pushes to main, PRs, and weekly. Results are uploaded to GitHub's Security tab as code scanning alerts.

See also #1008

Why

https://github.blog/security/supply-chain-security/securing-the-open-source-supply-chain-across-github/#h-what-you-can-do-today

• PR follows CONTRIBUTING.md guidelines

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 63d1caa4-def6-43e0-a8c5-31d972b42d7e

📥 Commits

Reviewing files that changed from the base of the PR and between 5a49262 and be4ae09.

📒 Files selected for processing (1)

• .github/workflows/codeql.yaml

---

📝 Walkthrough

Walkthrough

This pull request introduces a new GitHub Actions workflow file (.github/workflows/codeql.yaml) that configures CodeQL security analysis for the repository. The workflow is triggered on pushes to main, pull requests targeting main, and a weekly schedule. It uses a single job named analyze running on ubuntu-latest with a language matrix containing Python. The workflow executes CodeQL initialization, autobuild, and analysis steps with appropriate permissions scoped to read repository contents and write security events.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

🚥 Pre-merge checks | ✅ 2

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely describes the main change: adding a CodeQL static analysis workflow to the CI pipeline.
Description check	✅ Passed	The description is directly related to the changeset, explaining what CodeQL SAST was added, why it matters for supply chain security, and referencing the relevant issue.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-advanced-security]

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

• The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
• Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
• You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

[LalatenduMohanty]

@mergify rebase

[LalatenduMohanty]

@Mergifyio queue

[LalatenduMohanty]

@Mergifyio refresh

[mergify]

rebase

☑️ Nothing to do, the required conditions are not met

Details

• any of:
  • #commits-behind > 0 [📌 rebase requirement]
  • -linear-history [📌 rebase requirement]
• -closed [📌 rebase requirement]
• -conflict [📌 rebase requirement]
• queue-position = -1 [📌 rebase requirement]

[mergify]

queue

⚠️ Configuration not compatible with a branch protection setting

Details

The branch protection setting Require branches to be up to date before merging is not compatible with draft PR checks. To keep this branch protection enabled, update your Mergify configuration to enable in-place checks: set merge_queue.max_parallel_checks: 1, set every queue rule batch_size: 1, and avoid two-step CI (make merge_conditions identical to queue_conditions). Otherwise, disable this branch protection.

[mergify]

refresh

✅ Pull request refreshed