Skip to content

feauture: add codeql worflow#20

Merged
AteebNoOne merged 5 commits into
iTeebot:mainfrom
anidroid1184:feature/add-code-ql-for-security-scanning
Jul 12, 2026
Merged

feauture: add codeql worflow#20
AteebNoOne merged 5 commits into
iTeebot:mainfrom
anidroid1184:feature/add-code-ql-for-security-scanning

Conversation

@anidroid1184

@anidroid1184 anidroid1184 commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

Contribution Checklist

  • ⭐ I have starred the repository
  • 🔀 I have forked the repository and created a new branch for my changes
  • 📖 I have read the CONTRIBUTING.md guide

Description

Add a CodeQL workflow for security scanning.

Closes #13

Type of Change

  • 🐛 Bug fix (non-breaking change that fixes an issue)
  • ✨ New feature (non-breaking change that adds functionality)
  • 💥 Breaking change (fix or feature that would cause existing functionality to change)
  • 📝 Documentation update
  • 🔧 Refactor (code change that neither fixes a bug nor adds a feature)
  • ⚡ Performance improvement
  • ✅ Test addition or update
  • 🏗️ CI/CD or build system change

Checklist

  • I have added or updated tests that prove my fix is effective or my feature works
  • cargo clippy --all-targets -- -D warnings passes with no warnings
  • cargo fmt --check passes with no formatting issues
  • cargo test --all-targets passes
  • cargo test --doc passes
  • I have updated documentation as needed (rustdoc, README, etc.)
  • I have updated the changelog (if applicable)
  • My changes do not introduce any new unsafe code (or it is properly justified and documented)

Summary by CodeRabbit

  • Chores
    • Added automated CodeQL security analysis for Rust on pushes and pull requests targeting the main branch.
    • Enabled a weekly scheduled CodeQL scan to proactively catch vulnerabilities.
  • Bug Fixes
    • Improved debug-time validation for decoded entity inputs to ensure the expected format is provided.
  • Tests
    • Simplified workspace-root detection logic in the compatibility test harness without changing behavior.

@coderabbitai

coderabbitai Bot commented Jul 10, 2026

Copy link
Copy Markdown

Review Change Stack

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

  • @coderabbitai resume to resume automatic reviews.
  • @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

  • ▶️ Resume reviews
  • 🔍 Trigger review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 4737ed50-adce-49f2-9807-222a9d921e65

📥 Commits

Reviewing files that changed from the base of the PR and between 5e4aebd and 7ef2e6f.

📒 Files selected for processing (1)
  • tests/compat/harness.rs
💤 Files with no reviewable changes (1)
  • tests/compat/harness.rs

📝 Walkthrough

Walkthrough

Adds Rust CodeQL scanning for main-branch changes and weekly runs, while simplifying entity decoder assertions and workspace-root traversal.

Changes

Repository maintenance

Layer / File(s) Summary
Configure CodeQL analysis
.github/workflows/codeql.yml
Adds CodeQL triggers, restricted permissions, checkout, Rust initialization, and analysis steps using CodeQL Action v4.
Simplify decoder and harness checks
crates/tinyxml2/src/entity.rs, tests/compat/harness.rs
Replaces boolean debug assertions with equality assertions and simplifies parent-directory traversal while preserving behavior.

Estimated code review effort: 1 (Trivial) | ~3 minutes

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title is concise and clearly describes the main change: adding a CodeQL workflow, despite minor typos.
Linked Issues check ✅ Passed The PR adds .github/workflows/codeql.yml, targets Rust, and triggers on main pushes, PRs, and a weekly schedule as requested.
Out of Scope Changes check ✅ Passed The Clippy-driven fixes in entity.rs and harness.rs are directly related to the workflow work and reviewer feedback, not unrelated scope.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands.

@github-advanced-security

Copy link
Copy Markdown

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/codeql.yml:
- Around line 27-28: Update the CodeQL workflow’s “Checkout repository” step
using actions/checkout@v4 to set persist-credentials: false, preventing the
checkout action from storing GITHUB_TOKEN credentials in the local Git
configuration.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: f933b3e7-0fdd-4d9d-a79c-a794f0f833ec

📥 Commits

Reviewing files that changed from the base of the PR and between e51df83 and 7f190fc.

📒 Files selected for processing (1)
  • .github/workflows/codeql.yml

Comment thread .github/workflows/codeql.yml
@AteebNoOne AteebNoOne self-requested a review July 11, 2026 13:10
@AteebNoOne

Copy link
Copy Markdown
Member

@anidroid1184 thank you for contribution can you check the lints please. Thank you!

@anidroid1184

Copy link
Copy Markdown
Contributor Author

@AteebNoOne sure, I'll fix that

@anidroid1184

Copy link
Copy Markdown
Contributor Author

@AteebNoOne I've identified that crates/tinyxml2/src/entity.rs (lines 126 and 168) triggers the clippy::manual-assert-eq warning. I'll update these debug_assert! calls to use debug_assert_eq! as suggested by the compiler to improve idiomatic code and error reporting.

@AteebNoOne AteebNoOne left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

there is a security warning in your pr please fix that

Comment thread .github/workflows/codeql.yml
@anidroid1184

Copy link
Copy Markdown
Contributor Author

@AteebNoOne

I am encountering an issue where cargo clippy passes locally but fails in the CI workflow. I’ve noticed the workflow reports errors regarding debug_assert! usage that aren't appearing in my local environment. I’ll investigate the differences between my local toolchain and the CI environment to resolve these linting errors.

image

@AteebNoOne

Copy link
Copy Markdown
Member

@AteebNoOne

I am encountering an issue where cargo clippy passes locally but fails in the CI workflow. I’ve noticed the workflow reports errors regarding debug_assert! usage that aren't appearing in my local environment. I’ll investigate the differences between my local toolchain and the CI environment to resolve these linting errors.

image

Yes i know I'll fix that in the test file

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
tests/compat/harness.rs (1)

194-196: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

Remove leftover dev comment.

// lines suggested by clippy reads like an internal note rather than documentation and adds no value to readers.

🧹 Proposed cleanup
-        {
-            // lines suggested by clippy
-            let parent = dir.parent()?;
+        {
+            let parent = dir.parent()?;
             dir = parent.to_path_buf();
         }
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@tests/compat/harness.rs` around lines 194 - 196, Remove the leftover “lines
suggested by clippy” comment immediately before the parent assignment in the
surrounding test harness block, leaving the let parent = dir.parent()? statement
and behavior unchanged.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@tests/compat/harness.rs`:
- Around line 194-196: Remove the leftover “lines suggested by clippy” comment
immediately before the parent assignment in the surrounding test harness block,
leaving the let parent = dir.parent()? statement and behavior unchanged.

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: f5c9d041-1116-4dae-a5b3-0de4b83b9a40

📥 Commits

Reviewing files that changed from the base of the PR and between a064f38 and 5e4aebd.

📒 Files selected for processing (2)
  • crates/tinyxml2/src/entity.rs
  • tests/compat/harness.rs
✅ Files skipped from review due to trivial changes (1)
  • crates/tinyxml2/src/entity.rs

@anidroid1184

Copy link
Copy Markdown
Contributor Author

@AteebNoOne

I have resolved the recent CI failures caused by new clippy lint warnings introduced in newer Rust versions (specifically 1.97.0). The CI workflow uses the latest stable toolchain, while my local environment required an update to catch these issues.

I have addressed the following lint suggestions:

manual_assert_eq: Replaced debug_assert!(a == b) with debug_assert_eq!(a, b) in crates/tinyxml2/src/entity.rs for better debugging output, as recommended by Clippy's documentation.

question_mark: Simplified block structures using the ? operator in tests/compat/harness.rs, aligning the code with idiomatic Rust practices described in Clippy's documentation.

These changes ensure the codebase complies with the latest linting standards enforced in the workflow.

@AteebNoOne

Copy link
Copy Markdown
Member

@AteebNoOne

I have resolved the recent CI failures caused by new clippy lint warnings introduced in newer Rust versions (specifically 1.97.0). The CI workflow uses the latest stable toolchain, while my local environment required an update to catch these issues.

I have addressed the following lint suggestions:

manual_assert_eq: Replaced debug_assert!(a == b) with debug_assert_eq!(a, b) in crates/tinyxml2/src/entity.rs for better debugging output, as recommended by Clippy's documentation.

question_mark: Simplified block structures using the ? operator in tests/compat/harness.rs, aligning the code with idiomatic Rust practices described in Clippy's documentation.

These changes ensure the codebase complies with the latest linting standards enforced in the workflow.

There's a fix recommend by coderabbit can you please check that too so we can merge it right now

@AteebNoOne

Copy link
Copy Markdown
Member

@AteebNoOne

I have resolved the recent CI failures caused by new clippy lint warnings introduced in newer Rust versions (specifically 1.97.0). The CI workflow uses the latest stable toolchain, while my local environment required an update to catch these issues.

I have addressed the following lint suggestions:

manual_assert_eq: Replaced debug_assert!(a == b) with debug_assert_eq!(a, b) in crates/tinyxml2/src/entity.rs for better debugging output, as recommended by Clippy's documentation.

question_mark: Simplified block structures using the ? operator in tests/compat/harness.rs, aligning the code with idiomatic Rust practices described in Clippy's documentation.

These changes ensure the codebase complies with the latest linting standards enforced in the workflow.

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In @tests/compat/harness.rs:

  • Around line 194-196: Remove the leftover “lines suggested by clippy” comment
    immediately before the parent assignment in the surrounding test harness block,
    leaving the let parent = dir.parent()? statement and behavior unchanged.

@anidroid1184

Copy link
Copy Markdown
Contributor Author

@AteebNoOne sure

@AteebNoOne AteebNoOne merged commit dd45aa7 into iTeebot:main Jul 12, 2026
22 checks passed
@anidroid1184 anidroid1184 deleted the feature/add-code-ql-for-security-scanning branch July 12, 2026 02:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[Good First Issue]: Add CodeQL workflow for security scanning

3 participants