From d03392c5abe371592970f0e0bc269a46b92150be Mon Sep 17 00:00:00 2001
From: Matthew Fishman <mfishman@flatironinstitute.org>
Date: Mon, 4 May 2026 20:17:53 -0400
Subject: [PATCH 1/2] Add CodeQL caller workflow for this repo's own PRs
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The reusable workflow already lives at .github/workflows/CodeQL.yml in
this repo, so the caller has to use a different filename to avoid
colliding with the reusable definition. The workflow's name: is still
"CodeQL" so the displayed status check matches "CodeQL / Analyze
(actions)" — matching every other repo that uses this reusable, and
what branch-protection rulesets require.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/CodeQLCaller.yml | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)
 create mode 100644 .github/workflows/CodeQLCaller.yml

diff --git a/.github/workflows/CodeQLCaller.yml b/.github/workflows/CodeQLCaller.yml
new file mode 100644
index 0000000..6ca7851
--- /dev/null
+++ b/.github/workflows/CodeQLCaller.yml
@@ -0,0 +1,23 @@
+name: "CodeQL"
+
+# Caller for this repo's own PRs. The reusable lives at
+# `CodeQL.yml` in this same repo, so this caller has to use a
+# different filename to avoid colliding with it. The workflow's
+# `name:` is still "CodeQL" so the displayed status check matches
+# `CodeQL / Analyze (actions)` — same as every other repo that
+# uses this reusable, and what branch protection rulesets require.
+
+on:
+  pull_request:
+    branches:
+      - "main"
+
+permissions:
+  contents: "read"
+  security-events: "write"
+  actions: "read"
+
+jobs:
+  codeql:
+    name: "CodeQL"
+    uses: "ITensor/ITensorActions/.github/workflows/CodeQL.yml@v2"

From 16bd9238c3737889a9bccbfbdd4b4486854e2e87 Mon Sep 17 00:00:00 2001
From: Matthew Fishman <mfishman@flatironinstitute.org>
Date: Mon, 4 May 2026 21:28:29 -0400
Subject: [PATCH 2/2] Drop explanatory comment from CodeQLCaller.yml

Make the file byte-identical to the canonical CodeQL.yml that the
codeql_advanced_setup patch installs in every other repo. The only
difference between this file and theirs is the filename, dictated by
the reusable definition already occupying CodeQL.yml in this repo.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/CodeQLCaller.yml | 10 ----------
 1 file changed, 10 deletions(-)

diff --git a/.github/workflows/CodeQLCaller.yml b/.github/workflows/CodeQLCaller.yml
index 6ca7851..d2fcb68 100644
--- a/.github/workflows/CodeQLCaller.yml
+++ b/.github/workflows/CodeQLCaller.yml
@@ -1,22 +1,12 @@
 name: "CodeQL"
-
-# Caller for this repo's own PRs. The reusable lives at
-# `CodeQL.yml` in this same repo, so this caller has to use a
-# different filename to avoid colliding with it. The workflow's
-# `name:` is still "CodeQL" so the displayed status check matches
-# `CodeQL / Analyze (actions)` — same as every other repo that
-# uses this reusable, and what branch protection rulesets require.
-
 on:
   pull_request:
     branches:
       - "main"
-
 permissions:
   contents: "read"
   security-events: "write"
   actions: "read"
-
 jobs:
   codeql:
     name: "CodeQL"