From bfe64d169ac8b88c3093306a782c4ce08f0de7e4 Mon Sep 17 00:00:00 2001
From: "Jonathan D.A. Jewell" <6759885+hyperpolymath@users.noreply.github.com>
Date: Sat, 16 May 2026 16:59:21 +0100
Subject: [PATCH] ci: fix Mirror-to-Radicle dir + bump codeql-action to v3
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Two pre-existing red main checks, both in-repo workflow bugs (not
secrets, not source):

- mirror.yml "Mirror to Radicle": wrote the key to
  ~/.radicle/keys/radicle before that directory existed
  (`No such file or directory`). RADICLE_KEY secret is already
  configured — add `mkdir -p ~/.radicle/keys` before the write.

- codeql.yml: pinned at github/codeql-action @v3.28.1 which rejected
  the `actions` language ("Did not recognize the following languages:
  actions"). Bump init + analyze to the maintained v3 major
  (458d36d7d4f47d0dd16ca424c1d3cda0060f1360 # v3), which supports the
  GitHub Actions CodeQL language; SHA-pinned per org policy.

Unrelated to the #122/#30 source migration; clears two pre-existing
estate-infra reds with no behaviour change to ubicity itself.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 .github/workflows/codeql.yml | 4 ++--
 .github/workflows/mirror.yml | 1 +
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index cc360a6..99b86d6 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -30,12 +30,12 @@ jobs:
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@662472033e021d55d94146f66f6058822b0b39fd # v3.28.1
+        uses: github/codeql-action/init@458d36d7d4f47d0dd16ca424c1d3cda0060f1360 # v3
         with:
           languages: ${{ matrix.language }}
           build-mode: ${{ matrix.build-mode }}
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@662472033e021d55d94146f66f6058822b0b39fd # v3.28.1
+        uses: github/codeql-action/analyze@458d36d7d4f47d0dd16ca424c1d3cda0060f1360 # v3
         with:
           category: "/language:${{ matrix.language }}"
diff --git a/.github/workflows/mirror.yml b/.github/workflows/mirror.yml
index 268fdb8..7d29b9e 100644
--- a/.github/workflows/mirror.yml
+++ b/.github/workflows/mirror.yml
@@ -140,6 +140,7 @@ jobs:
 
       - name: Mirror to Radicle
         run: |
+          mkdir -p ~/.radicle/keys
           echo "${{ secrets.RADICLE_KEY }}" > ~/.radicle/keys/radicle
           chmod 600 ~/.radicle/keys/radicle
           rad sync --announce || echo "Radicle sync attempted"