chore(ci): adding codeql

[samber]

No description provided.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 87.47%. Comparing base (596dafd) to head (593a629).
⚠️ Report is 2 commits behind head on master.

Additional details and impacted files

@@           Coverage Diff           @@
##           master      #98   +/-   ##
=======================================
  Coverage   87.47%   87.47%           
=======================================
  Files          28       28           
  Lines        1980     1980           
=======================================
  Hits         1732     1732           
  Misses        227      227           
  Partials       21       21           

Flag	Coverage Δ
unittests	87.47% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[github-advanced-security]

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

[Copilot]

Pull request overview

This PR updates the CI workflows to run on pull_request and adds CodeQL code scanning into the existing lint workflow.

Changes:

• Enable pull_request triggers (and restrict push triggers to master) for test and lint workflows.
• Add a weekly scheduled run for the lint workflow.
• Add CodeQL init/autobuild/analyze steps to the lint workflow.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

File	Description
.github/workflows/test.yml	Adds pull_request trigger and restricts push runs to the master branch.
.github/workflows/lint.yml	Adds schedule + CodeQL scanning steps and introduces explicit job permissions.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The job-level permissions block sets only security-events: write. In GitHub Actions, specifying any job permissions usually sets all unspecified permissions to none, which can break actions/checkout (needs at least contents: read) and CodeQL initialization. Add explicit contents: read (and any other required scopes such as actions: read if needed) alongside security-events: write.

Suggested change

	# required for codeql analysis
	# required for codeql analysis
	contents: read

[Copilot]

Because the CodeQL steps are placed after other steps in this job, any failure earlier (e.g., linting or Bearer) will prevent CodeQL from running and uploading results. If you want CodeQL results even when other checks fail, run CodeQL in a separate job (recommended) or ensure the CodeQL steps run with appropriate if: always() / continue-on-error handling on earlier steps.

Suggested change

	- name: Initialize CodeQL
	uses: github/codeql-action/init@v4
	with:
	languages: go
	- name: Autobuild
	uses: github/codeql-action/autobuild@v4
	- name: Perform CodeQL Analysis
	- name: Initialize CodeQL
	if: always()
	uses: github/codeql-action/init@v4
	with:
	languages: go
	- name: Autobuild
	if: always()
	uses: github/codeql-action/autobuild@v4
	- name: Perform CodeQL Analysis
	if: always()