From 90a16af9fb31154d9a26b2163117208711a5c6bd Mon Sep 17 00:00:00 2001
From: Eva <eva@100yen.org>
Date: Thu, 2 Apr 2026 23:45:31 +0700
Subject: [PATCH 1/2] chore: add CodeQL security scanning workflow

Adds CodeQL JS/TS analysis on push to main and PRs.
Required by repo ruleset.
---
 .github/workflows/codeql.yml | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)
 create mode 100644 .github/workflows/codeql.yml

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
new file mode 100644
index 0000000..a3b1fb0
--- /dev/null
+++ b/.github/workflows/codeql.yml
@@ -0,0 +1,27 @@
+name: "CodeQL"
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+jobs:
+  analyze:
+    name: Analyze (JavaScript/TypeScript)
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    permissions:
+      security-events: write
+      contents: read
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: javascript-typescript
+          queries: security-and-quality
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v3

From 8fb2978f8c08727d517d23b46c67a0c201939210 Mon Sep 17 00:00:00 2001
From: Eva <eva@100yen.org>
Date: Thu, 2 Apr 2026 23:58:23 +0700
Subject: [PATCH 2/2] fix: add actions:read permission + bump codeql-action to
 v4

---
 .github/workflows/codeql.yml | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index a3b1fb0..9bbf576 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -12,16 +12,17 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 10
     permissions:
+      actions: read
       security-events: write
       contents: read
     steps:
       - uses: actions/checkout@v4
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v3
+        uses: github/codeql-action/init@v4
         with:
           languages: javascript-typescript
           queries: security-and-quality
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v3
+        uses: github/codeql-action/analyze@v4