cli/.gh-actions/workflows/codescan-pull-request.yml

# https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request
name: "Code Scanning: Pull Request"

on:
  pull_request:
    branches: ["dev"]

jobs:
  CodeQL:
    runs-on: ubuntu-latest

    permissions:
      security-events: write
      actions: read
      contents: read

    steps:
      - name: "Checkout Repository"
        uses: actions/checkout@v6

      - name: "Initialize CodeQL"
        uses: github/codeql-action/init@v4
        with:
          languages: go,javascript,typescript

      - name: "Autobuild"
        uses: github/codeql-action/autobuild@v4

      - name: "Perform CodeQL Analysis"
        uses: github/codeql-action/analyze@v4
ci: revert to ubuntu-latest runners Self-hosted runners need environment parity work (ARM64, root user, SDK tools). Keep self-hosted for future local-llm integration tasks. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-02-02 22:07:13 +00:00			`# https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request`
			`name: "Code Scanning: Pull Request"`

			`on:`
			`pull_request:`
			`branches: ["dev"]`

			`jobs:`
			`CodeQL:`
			`runs-on: ubuntu-latest`

			`permissions:`
			`security-events: write`
			`actions: read`
			`contents: read`

			`steps:`
			`- name: "Checkout Repository"`
			`uses: actions/checkout@v6`

			`- name: "Initialize CodeQL"`
			`uses: github/codeql-action/init@v4`
			`with:`
			`languages: go,javascript,typescript`

			`- name: "Autobuild"`
			`uses: github/codeql-action/autobuild@v4`

			`- name: "Perform CodeQL Analysis"`
			`uses: github/codeql-action/analyze@v4`