Skip to content

Fix: correct codeql pipeline#280

Open
Thaleszh wants to merge 3 commits intomainfrom
fix/codeql
Open

Fix: correct codeql pipeline#280
Thaleszh wants to merge 3 commits intomainfrom
fix/codeql

Conversation

@Thaleszh
Copy link
Contributor

@Thaleszh Thaleszh commented Mar 2, 2026

Description

Adapts pipeline so that codeql actually runs

Type of change

  • Bug fix (non-breaking change which fixes an issue)

How Has This Been Tested?

pipeline

PR Checklist:

Make sure each step was done:

  • Updated changelog with PR's intent
  • Lint with make lint-fix

@Thaleszh Thaleszh requested a review from jhelison as a code owner March 2, 2026 14:18
@coderabbitai
Copy link
Contributor

coderabbitai bot commented Mar 2, 2026
edited
Loading

Walkthrough

The pull request updates the CodeQL GitHub Actions workflow by fixing a mis-indented comment and adding two steps: an Autobuild step using github/codeql-action/autobuild@v3 and an Analyze step using github/codeql-action/analyze@v3 with the Go language category. Additionally, a single-line comment was added inside x/oracle/keeper/keeper.go. No public APIs or exported entities were changed. Total lines changed: +9/-1.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Title check ✅ Passed The title accurately describes the main change in the PR: fixing and correcting the CodeQL pipeline configuration, which is the primary focus of the changes to .github/workflows/codeql.yaml.
Description check ✅ Passed The description is related to the changeset. It explains the intent (adapting the pipeline so CodeQL actually runs) and identifies it as a bug fix, which aligns with the CodeQL workflow configuration changes.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
  • 📝 Generate docstrings (stacked PR)
  • 📝 Generate docstrings (commit on current branch)
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch fix/codeql

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

coderabbitai[bot]
coderabbitai bot reviewed Mar 2, 2026
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
.github/workflows/codeql.yaml (1)

39-42: Pin GitHub Actions to immutable full-length commit SHAs.

Lines 39 and 42 use mutable version tags (@v3). GitHub officially recommends pinning third-party actions to full 40-character commit SHAs to reduce supply-chain risk and ensure reproducibility. Include a comment with the version for maintainability:

uses: github/codeql-action/autobuild@<40-char-commit-sha> # v3.x.x
uses: github/codeql-action/analyze@<40-char-commit-sha> # v3.x.x

Pair SHA pinning with automated updates (e.g., Dependabot) to keep dependencies current.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/codeql.yaml around lines 39 - 42, Replace the mutable
action references for github/codeql-action/autobuild@v3 and
github/codeql-action/analyze@v3 with their immutable 40-character commit SHAs
(use the full commit SHA in place of the tag) and append an inline comment
preserving the human-readable tag (e.g., "# v3.x.x"); ensure both occurrences
from the diff are updated to the corresponding SHAs and consider enabling
Dependabot or an automated workflow to keep those SHAs up to date.
🤖 Prompt for all review comments with AI agents 
Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In @.github/workflows/codeql.yaml:
- Around line 39-42: Replace the mutable action references for
github/codeql-action/autobuild@v3 and github/codeql-action/analyze@v3 with their
immutable 40-character commit SHAs (use the full commit SHA in place of the tag)
and append an inline comment preserving the human-readable tag (e.g., "#
v3.x.x"); ensure both occurrences from the diff are updated to the corresponding
SHAs and consider enabling Dependabot or an automated workflow to keep those
SHAs up to date.
ℹ️ Review info

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 01df974 and deee3d3.

📒 Files selected for processing (1)
  • .github/workflows/codeql.yaml

coderabbitai[bot]
coderabbitai bot reviewed Mar 2, 2026
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
x/oracle/keeper/keeper.go (1)

251-251: Remove CI/debug-only comment from keeper logic.

Line 251 adds a process-oriented comment (force analysis of code ql) in production module code. Please remove it to keep comments focused on business/domain behavior.

Proposed cleanup 
-	// Comment to force analysis of code ql
 	// Get voting target
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@x/oracle/keeper/keeper.go` at line 251, Remove the CI/debug-only inline
comment "force analysis of code ql" from the keeper logic (the stray comment at
the top of keeper.go) so production code only contains business/domain-focused
comments; search for and delete any other similar CI/debug-only comments in the
keeper package to keep comments relevant and maintainable.
🤖 Prompt for all review comments with AI agents 
Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@x/oracle/keeper/keeper.go`:
- Line 251: Remove the CI/debug-only inline comment "force analysis of code ql"
from the keeper logic (the stray comment at the top of keeper.go) so production
code only contains business/domain-focused comments; search for and delete any
other similar CI/debug-only comments in the keeper package to keep comments
relevant and maintainable.
ℹ️ Review info

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between deee3d3 and c0e2961.

📒 Files selected for processing (1)
  • x/oracle/keeper/keeper.go

@codecov
Copy link

codecov bot commented Mar 2, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

@github-advanced-security
Copy link

github-advanced-security bot commented Mar 2, 2026

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@jhelison jhelison Awaiting requested review from jhelison jhelison is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Thaleszh