Skip to content

ci: add CodeQL analysis for Python and GitHub Actions#1053

Open
Aaron ("AJ") Steers (aaronsteers) wants to merge 2 commits into
mainfrom
devin/1783103177-add-codeql
Open

ci: add CodeQL analysis for Python and GitHub Actions#1053
Aaron ("AJ") Steers (aaronsteers) wants to merge 2 commits into
mainfrom
devin/1783103177-add-codeql

Conversation

@aaronsteers

@aaronsteers Aaron ("AJ") Steers (aaronsteers) commented Jul 3, 2026

Copy link
Copy Markdown
Member

Summary

Adds CodeQL security scanning with python and actions language analyzers using the security-and-quality query suite.

The actions analyzer detects GitHub Actions-specific vulnerabilities like script injection (actions/dangerous-action-command), missing permissions blocks, and untrusted checkout.

Runs on push/PR to main and weekly on Monday.

Link to Devin session: https://app.devin.ai/sessions/fe5d63b3474f4fe6990b6f8f7a47f8ed
Requested by: Aaron ("AJ") Steers (@aaronsteers)

Summary by CodeRabbit

  • New Features
    • Added automated code scanning for the repository to help catch security and quality issues earlier.
    • Code analysis now runs on pull requests, pushes to the main branch, and on a weekly schedule.

devin-ai-integration Bot and others added 2 commits July 3, 2026 18:27
Enables CodeQL security scanning with python and actions language
analyzers using the security-and-quality query suite. The actions
analyzer detects workflow vulnerabilities like script injection,
missing permissions, and untrusted checkout.

Co-Authored-By: AJ Steers <aj@airbyte.io>
Co-Authored-By: AJ Steers <aj@airbyte.io>
@devin-ai-integration

Copy link
Copy Markdown
Contributor

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

  • Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
  • Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

  • Disable automatic comment, CI, and merge conflict monitoring

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown

👋 Greetings, Airbyte Team Member!

Here are some helpful tips and reminders for your convenience.

💡 Show Tips and Tricks

Testing This PyAirbyte Version

You can test this version of PyAirbyte using the following:

# Run PyAirbyte CLI from this branch:
uvx --from 'git+https://github.com/airbytehq/PyAirbyte.git@devin/1783103177-add-codeql' pyairbyte --help

# Install PyAirbyte from this branch for development:
pip install 'git+https://github.com/airbytehq/PyAirbyte.git@devin/1783103177-add-codeql'

PR Slash Commands

Airbyte Maintainers can execute the following slash commands on your PR:

  • /fix-pr - Fixes most formatting and linting issues
  • /uv-lock - Updates uv.lock file
  • /test-pr - Runs tests with the updated PyAirbyte
  • /prerelease - Builds and publishes a prerelease version to PyPI
📚 Show Repo Guidance

Helpful Resources

Community Support

Questions? Join the #pyairbyte channel in our Slack workspace.

📝 Edit this welcome message.

@devin-ai-integration devin-ai-integration Bot marked this pull request as ready for review July 3, 2026 18:31

@devin-ai-integration devin-ai-integration Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no bugs or issues to report.

Open in Devin Review

@coderabbitai

coderabbitai Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

📝 Walkthrough

Walkthrough

Adds a new GitHub Actions workflow file .github/workflows/codeql.yml that runs CodeQL security analysis on push, pull request, and a weekly schedule, using a matrix job over python and actions languages.

Changes

CodeQL Workflow Setup

Layer / File(s) Summary
CodeQL analysis workflow
.github/workflows/codeql.yml
New workflow triggered on push/pull_request to main and weekly cron, with concurrency control, scoped permissions, and a matrix job (python, actions) that checks out code and runs CodeQL init/analyze steps.

Estimated code review effort: 1 (Trivial) | ~5 minutes

Related Issues: None specified.

Related PRs: None specified.

Suggested labels: ci, github-actions, security

Suggested reviewers: Would it make sense to loop in someone from the security or DevOps side who owns CI configs, wdyt?

Poem

A rabbit hops through workflows new,
CodeQL now stands watch for you,
On push and pull, each Monday morn,
Security checks are quietly born,
Hop hop hooray, the scan is true! 🐇

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately summarizes the main change: adding CodeQL analysis for Python and GitHub Actions.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch devin/1783103177-add-codeql

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
.github/workflows/codeql.yml (1)

30-41: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Could you pin actions/checkout and github/codeql-action to reviewed SHAs, and bump CodeQL from @v3 to @v4? In .github/workflows/codeql.yml, the workflow still relies on mutable major tags; pinning them would better match the supply-chain hardening this job is meant to provide.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/codeql.yml around lines 30 - 41, The CodeQL workflow is
still using mutable action tags, so update the checkout and CodeQL steps in the
workflow to reference reviewed commit SHAs instead of version tags. Locate the
`actions/checkout` usage and the `github/codeql-action/init` and
`github/codeql-action/analyze` steps, pin each to a reviewed SHA, and bump the
CodeQL action reference from v3 to v4 while keeping the existing workflow
behavior unchanged.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In @.github/workflows/codeql.yml:
- Around line 30-41: The CodeQL workflow is still using mutable action tags, so
update the checkout and CodeQL steps in the workflow to reference reviewed
commit SHAs instead of version tags. Locate the `actions/checkout` usage and the
`github/codeql-action/init` and `github/codeql-action/analyze` steps, pin each
to a reviewed SHA, and bump the CodeQL action reference from v3 to v4 while
keeping the existing workflow behavior unchanged.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 9688765f-31ae-4fa3-82ec-8968c2e4ecad

📥 Commits

Reviewing files that changed from the base of the PR and between 1e2d7d8 and d611e9c.

📒 Files selected for processing (1)
  • .github/workflows/codeql.yml

@github-code-quality

github-code-quality Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Code Coverage Overview

Languages: Python

Python / code-coverage/pytest-fast

The overall coverage in the branch is 67%. The coverage in the branch is 65%.

Show a code coverage summary of the most impacted files.
File d9f652f d611e9c +/-
airbyte/_util/api_util.py 36% 37% +1%
airbyte/registry.py 70% 72% +2%
airbyte/mcp/_tool_utils.py 72% 77% +5%
airbyte/mcp/int...c_history_ui.py 0% 36% +36%
airbyte/mcp/int...hared_models.py 0% 81% +81%
airbyte/cloud/models.py 0% 91% +91%
airbyte/mcp/int..._registry_ui.py 0% 92% +92%
airbyte/mcp/int...nc_status_ui.py 0% 97% +97%
airbyte/mcp/int...ive/__init__.py 0% 100% +100%
airbyte/mcp/int...tive/_prefab.py 0% 100% +100%

Python / code-coverage/pytest-no-creds

The overall coverage in the branch is 67%. The coverage in the branch is 65%.

Show a code coverage summary of the most impacted files.
File d9f652f d611e9c +/-
airbyte/_util/api_util.py 36% 37% +1%
airbyte/registry.py 70% 72% +2%
airbyte/mcp/_tool_utils.py 72% 77% +5%
airbyte/mcp/int...c_history_ui.py 0% 36% +36%
airbyte/mcp/int...hared_models.py 0% 81% +81%
airbyte/cloud/models.py 0% 91% +91%
airbyte/mcp/int..._registry_ui.py 0% 92% +92%
airbyte/mcp/int...nc_status_ui.py 0% 97% +97%
airbyte/mcp/int...ive/__init__.py 0% 100% +100%
airbyte/mcp/int...tive/_prefab.py 0% 100% +100%

Python / code-coverage/pytest

The overall coverage in the branch is 72%. The coverage in the branch is 71%.

Show a code coverage summary of the most impacted files.
File d9f652f d611e9c +/-
airbyte/registry.py 70% 72% +2%
airbyte/mcp/_tool_utils.py 72% 77% +5%
airbyte/mcp/server.py 69% 76% +7%
airbyte/mcp/int...c_history_ui.py 0% 36% +36%
airbyte/mcp/int...hared_models.py 0% 81% +81%
airbyte/mcp/int..._registry_ui.py 0% 92% +92%
airbyte/cloud/models.py 0% 93% +93%
airbyte/mcp/int...nc_status_ui.py 0% 97% +97%
airbyte/mcp/int...ive/__init__.py 0% 100% +100%
airbyte/mcp/int...tive/_prefab.py 0% 100% +100%

Updated July 03, 2026 18:56 UTC
Code Coverage is in Public Preview. Learn more and provide us with your feedback.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant