ci: add CodeQL analysis workflow

[superdav42]

Summary

• Add a CodeQL workflow for JavaScript/TypeScript analysis.
• Run analysis on pull requests, pushes to main, a weekly schedule, and manual dispatch.
• Enable +security-and-quality queries so GitHub receives code quality/code scanning results for the supported analyzed language.
• Leave PHP quality coverage to the existing PHPCS/PHPStan workflow because CodeQL does not support PHP analysis.

Verification

• git diff --check
• Python workflow validation for required CodeQL entries, absence of unsupported PHP CodeQL language, and whitespace
• Pre-commit hook passed: no PHP, JS, or CSS files to check

Notes

• No plugin runtime code changes.
• After this merges to main, rerun checks or update open PR branches so the CodeQL code quality requirement receives fresh results.

---

aidevops.sh v3.20.57 plugin for OpenCode v1.17.4 with gpt-5.5 spent 13m and 221,882 tokens on this with the user in an interactive session.

Summary by CodeRabbit

• Chores
  • Added an automated CodeQL security analysis workflow that runs on pushes and pull requests to main, on a weekly schedule, and via manual dispatch; currently configured for JavaScript/TypeScript projects.

[coderabbitai]

Warning

Review limit reached

@superdav42, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 16 minutes and 27 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more credits in the billing tab to continue.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 0a798455-61ff-46eb-9076-2812061ffa63

📥 Commits

Reviewing files that changed from the base of the PR and between 5a51d77 and e8d167e.

📒 Files selected for processing (1)

• .github/workflows/codeql.yml

📝 Walkthrough

Walkthrough

Adds a GitHub Actions workflow .github/workflows/codeql.yml that runs CodeQL analysis (javascript-typescript) on pushes and PRs to main, weekly via cron, and on manual dispatch; sets repository/action read permissions and security-events write, and runs CodeQL init/analyze with the security-and-quality query set.

Changes

CodeQL Security Analysis Workflow

Layer / File(s)	Summary
CodeQL workflow configuration .github/workflows/codeql.yml	Adds a workflow triggered on pushes/PRs to main, weekly cron (32 4 * * 1), and workflow_dispatch. Sets contents, actions, pull-requests read permissions and security-events: write. Defines an analyze job on ubuntu-latest with a javascript-typescript matrix and runs CodeQL init/analyze using +security-and-quality and a per-language analysis category.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Suggested labels

status:available

Poem

🐰 I hopped through YAML, neat and spry,
A watcher placed to guard the sky,
CodeQL scans in morning light,
JavaScript checks through day and night,
Safe commits make my whiskers bright.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'ci: add CodeQL analysis workflow' accurately and concisely describes the main change in the changeset—adding a new GitHub Actions workflow for CodeQL analysis.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/codeql-workflow

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-advanced-security]

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

• The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
• Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
• You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

[github-actions]

🔨 Build Complete - Ready for Testing!

📦 Download Build Artifact (Recommended)

Download the zip build, upload to WordPress and test:

• Build: ultimate-multisite
• ⬇️ Download from GitHub Actions
• ⬇️ Download without Github Account (nightly.link)

🌐 Test in WordPress Playground (Very Experimental)

Click the link below to instantly test this PR in your browser - no installation needed!
Playground support for multisite is very limitied, hopefully it will get better in the future.

🚀 Launch in Playground

Login credentials: admin / password

[github-actions]

🔨 Build Complete - Ready for Testing!

📦 Download Build Artifact (Recommended)

Download the zip build, upload to WordPress and test:

• Build: ultimate-multisite
• ⬇️ Download from GitHub Actions
• ⬇️ Download without Github Account (nightly.link)

🌐 Test in WordPress Playground (Very Experimental)

Click the link below to instantly test this PR in your browser - no installation needed!
Playground support for multisite is very limitied, hopefully it will get better in the future.

🚀 Launch in Playground

Login credentials: admin / password

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/codeql.yml:
- Line 36: Replace the mutable tags for the CodeQL actions with immutable full
commit SHAs: change "github/codeql-action/init@v3" and
"github/codeql-action/analyze@v3" to their corresponding full commit SHAs (e.g.,
github/codeql-action/init@<full-sha> and
github/codeql-action/analyze@<full-sha>), ensuring both entries use explicit
commit hashes rather than version tags; fetch the current recommended commit
SHAs from the codeql-action repository releases or the action's default branch
commit history and update the workflow accordingly.
- Around line 32-33: The checkout step using actions/checkout (the step with
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5) must disable
credential persistence to avoid leaving the runner configured with the
GITHUB_TOKEN; add the key persist-credentials: false under that checkout step
and keep any existing keys (e.g., ref or fetch-depth) intact so the action still
behaves the same but no credentials are persisted to the runner.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 0d961175-e76c-4ca1-9393-2d1fd8b4ceca

📥 Commits

Reviewing files that changed from the base of the PR and between bc4d4bb and 7a4f669.

📒 Files selected for processing (1)

• .github/workflows/codeql.yml

[github-actions]

🔨 Build Complete - Ready for Testing!

📦 Download Build Artifact (Recommended)

Download the zip build, upload to WordPress and test:

• Build: ultimate-multisite
• ⬇️ Download from GitHub Actions
• ⬇️ Download without Github Account (nightly.link)

🌐 Test in WordPress Playground (Very Experimental)

Click the link below to instantly test this PR in your browser - no installation needed!
Playground support for multisite is very limitied, hopefully it will get better in the future.

🚀 Launch in Playground

Login credentials: admin / password

[superdav42]

CLAIM_RELEASED reason=worker_complete runner=superdav42 ts=2026-06-12T23:14:46Z aidevops_version=3.20.57 opencode_version=1.17.4