chore(bootstrap): drop workflow-driven CodeQL — default setup is the SSoT (RAN-46)

aksOps · aksOps · commit 35762b1c4ab3 · 2026-04-25T09:50:02.000Z
The codeql.yml workflow added in 638fda7 conflicts with the repo-level CodeQL default setup that was already enabled for `java-kotlin`, `javascript-typescript`, and `actions`. GitHub Code-Scanning rejects duplicate SARIF uploads for the same language with a "configuration error" (see PR #74's failed `Analyze (javascript-typescript)` run 24928083508). Default setup already covers everything the workflow added (multi-language analysis, SARIF in the Security tab, push + PR + scheduled runs) and is a managed GitHub feature that auto-updates. Keeping the workflow buys us nothing here and breaks every PR with a stuck failed check. Adjustments: - delete .github/workflows/codeql.yml - .bestpractices.json: point `code_scanning` evidence at the default-setup repo setting instead of the deleted workflow - engineering-standards.md §9: document the decision and why default setup won Refs RAN-46 AC #4. Default-setup is being kept enabled per @ceo's post-merge sequence (item #3).
diff --git a/.bestpractices.json b/.bestpractices.json
@@ -25,7 +25,7 @@
     "license_file": "LICENSE",
     "build_reproducible": "mvn -B -ntp clean verify",
     "ci_workflow": ".github/workflows/ci-java.yml",
-    "code_scanning": ".github/workflows/codeql.yml",
+    "code_scanning": "GitHub repo setting (CodeQL default setup, java-kotlin + javascript-typescript + actions). Workflow-driven CodeQL was tried in PR #74 but conflicts with default setup at SARIF upload — keeping default setup as the SSoT.",
     "supply_chain_scorecard": ".github/workflows/scorecard.yml",
     "dependency_updates": ".github/dependabot.yml",
     "signed_commits": "scripts/setup-git-signed.sh",
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
diff --git a/shared/runbooks/engineering-standards.md b/shared/runbooks/engineering-standards.md
@@ -110,3 +110,4 @@ Ground rules:
 - `/home/dev/.claude/rules/*.md` — global engineering rules (parent SSoT).
 - `pom.xml` — quality-gate plugin wiring (`jacoco`, `spotbugs`, `dependency-check`, `central-publishing`).
 - `.github/workflows/` — CI / release / security automations.
+- **CodeQL** — handled by GitHub repo-level **CodeQL default setup** (java-kotlin + javascript-typescript + actions), not a workflow file. A workflow-driven CodeQL was attempted in PR #74 and removed because GitHub rejects duplicate SARIF uploads when default setup is also enabled for the same language. Configuration lives under repo Settings → Code security → Code scanning.
