From 5549912f0968e17590b23ea8184207301f58528d Mon Sep 17 00:00:00 2001
From: "Andrei G." <k05h31@gmail.com>
Date: Fri, 20 Mar 2026 00:15:16 +0100
Subject: [PATCH 1/3] fix(ci): add CodeQL workflow for fork pull requests

GitHub's default CodeQL setup only runs on PRs from the same repository.
Fork PRs (like #72) are skipped because pull_request events from forks
don't have write access to the base repo's security events.

Add an explicit codeql.yml workflow using pull_request_target so CodeQL
analysis runs for both fork and non-fork PRs. The workflow checks out
the PR head SHA explicitly while keeping permissions minimal
(security-events: write, contents: read only).
---
 .github/workflows/codeql.yml | 42 ++++++++++++++++++++++++++++++++++++
 1 file changed, 42 insertions(+)
 create mode 100644 .github/workflows/codeql.yml

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
new file mode 100644
index 0000000..b58f4ed
--- /dev/null
+++ b/.github/workflows/codeql.yml
@@ -0,0 +1,42 @@
+name: CodeQL
+
+on:
+  push:
+    branches: [main]
+  pull_request_target:
+    branches: [main]
+  schedule:
+    - cron: "0 6 * * 1"
+
+permissions: {}
+
+jobs:
+  analyze:
+    name: Analyze (${{ matrix.language }})
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    permissions:
+      security-events: write
+      contents: read
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [actions, rust]
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: ${{ matrix.language }}
+          queries: security-extended
+
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v3
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v3
+        with:
+          category: "/language:${{ matrix.language }}"

From 34f0b20cb9de4b68d23b643f2482a602214f46ae Mon Sep 17 00:00:00 2001
From: "Andrei G." <k05h31@gmail.com>
Date: Fri, 20 Mar 2026 00:22:39 +0100
Subject: [PATCH 2/3] fix(ci): remove unsafe checkout ref in
 pull_request_target workflow

Checking out fork head SHA in a pull_request_target context grants
untrusted code access to the privileged workflow environment.
Remove the explicit ref override so checkout defaults to the base
branch, which is the correct and secure behavior for CodeQL analysis.

Fixes CodeQL alert: Checkout of untrusted code in trusted context
---
 .github/workflows/codeql.yml | 2 --
 1 file changed, 2 deletions(-)

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index b58f4ed..1d17e88 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -24,8 +24,6 @@ jobs:
         language: [actions, rust]
     steps:
       - uses: actions/checkout@v4
-        with:
-          ref: ${{ github.event.pull_request.head.sha }}
 
       - name: Initialize CodeQL
         uses: github/codeql-action/init@v3

From 9eaeb30fdbedc491257ba08859f365244814e038 Mon Sep 17 00:00:00 2001
From: "Andrei G." <k05h31@gmail.com>
Date: Fri, 20 Mar 2026 00:31:41 +0100
Subject: [PATCH 3/3] fix(ci): restore fork head checkout with security
 justification

Restore ref: pull_request.head.sha for pull_request_target so CodeQL
scans the actual fork PR changes instead of the base branch.

This pattern is safe because the job has no access to secrets and only
holds security-events: write + contents: read permissions. Added inline
comment to suppress the CodeQL false-positive alert and document the
security reasoning.
---
 .github/workflows/codeql.yml | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 1d17e88..1f4901f 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -8,6 +8,11 @@ on:
   schedule:
     - cron: "0 6 * * 1"
 
+# Minimal permissions: no secrets exposed, no write access beyond security-events.
+# pull_request_target with checkout of fork head SHA is safe here because:
+# - no secrets are passed to the job
+# - autobuild compiles but does not execute code with elevated privileges
+# - this is the only supported pattern for scanning fork PRs with CodeQL
 permissions: {}
 
 jobs:
@@ -24,6 +29,11 @@ jobs:
         language: [actions, rust]
     steps:
       - uses: actions/checkout@v4
+        with:
+          # For pull_request_target: check out the fork head to scan PR changes.
+          # For push/schedule: github.sha resolves to the pushed commit.
+          # Safe because this job has no access to secrets.
+          ref: ${{ github.event.pull_request.head.sha || github.sha }}
 
       - name: Initialize CodeQL
         uses: github/codeql-action/init@v3