From be1ace4e7042d1dcc5301ed432ef2a95b14542e7 Mon Sep 17 00:00:00 2001
From: lml2468 <lml2468@users.noreply.github.com>
Date: Thu, 4 Jun 2026 16:51:02 +0800
Subject: [PATCH] ci: add CodeQL security analysis workflow

Add CodeQL static analysis for Go using the org-level reusable workflow.
Runs on push to main, PRs, daily schedule, and manual dispatch.

octo-cli processes user input (CLI args, config files, API responses) and
should have the same security scanning coverage as other Go repositories
in the org.

Follows the same caller pattern as octo-server, octo-lib, octo-matter,
octo-im, octo-speech, and octo-smart-summary.

Ref: Workflow optimization task T09
---
 .github/workflows/codeql.yml | 31 +++++++++++++++++++++++++++++++
 1 file changed, 31 insertions(+)
 create mode 100644 .github/workflows/codeql.yml

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
new file mode 100644
index 0000000..feaffe0
--- /dev/null
+++ b/.github/workflows/codeql.yml
@@ -0,0 +1,31 @@
+name: CodeQL
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    types: [opened, synchronize, reopened, ready_for_review]
+    paths-ignore:
+      - '**/*.md'
+      - 'docs/**'
+      - '.github/ISSUE_TEMPLATE/**'
+  schedule:
+    - cron: "0 6 * * *"
+  workflow_dispatch:
+
+permissions: {}
+
+concurrency:
+  group: codeql-${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.event.pull_request.number || github.sha }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+
+jobs:
+  analyze:
+    if: github.event_name != 'pull_request' || !github.event.pull_request.draft
+    uses: Mininglamp-OSS/.github/.github/workflows/reusable-codeql.yml@main
+    with:
+      language: go
+    permissions:
+      actions: read
+      contents: read
+      security-events: write