ci: add explicit CodeQL workflow

[Copilot]

Pull Request

Description

Code scanning was failing in CodeQL init because the generated default setup tried to fetch unavailable bundle 2.25.5. This adds an explicit repository-owned CodeQL workflow so scanning uses github/codeql-action@v4 defaults instead of the broken generated setup.

• Workflow control: add .github/workflows/codeql.yml for PR, push, and scheduled scans
• Version selection: remove any dependency on generated/default CodeQL bundle resolution by using the action defaults
• Analysis scope: run Python analysis with build-mode: none, matching the repo’s current CodeQL needs

- name: Initialize CodeQL
  uses: github/codeql-action/init@v4
  with:
    languages: ${{ matrix.language }}
    build-mode: ${{ matrix.build-mode }}

Type of Change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not
  work as expected)
• Documentation update
• Code refactoring
• Performance improvement
• Test improvements

Testing

• I have added tests that prove my fix is effective or that my feature works
• New and existing unit tests pass locally with my changes
• I have tested this manually (if applicable)

Code Quality

• My code follows the style guidelines of this project
• I have performed a self-review of my own code
• I have made corresponding changes to the documentation
• My changes generate no new warnings
• I have run poetry run lint and resolved any issues
• I have run poetry run format-check and code is properly formatted

Related Issues

N/A

Additional Notes

This change is intentionally limited to CI configuration. It does not modify application code or the existing security scan workflow.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• api.katana.test
  • Triggering command: /home/REDACTED/work/katana-openapi-client/katana-openapi-client/.venv/bin/python /home/REDACTED/work/katana-openapi-client/katana-openapi-client/.venv/bin/python -u -c import sys;exec(eval(sys.stdin.readline())) (dns block)
  • Triggering command: /home/REDACTED/work/katana-openapi-client/katana-openapi-client/.venv/bin/python /home/REDACTED/work/katana-openapi-client/katana-openapi-client/.venv/bin/python -u -c import sys;exec(eval(sys.stdin.readline())) ted/�� get --global n-dir/which http.https://gitbash (dns block)
  • Triggering command: /home/REDACTED/work/katana-openapi-client/katana-openapi-client/.venv/bin/python /home/REDACTED/work/katana-openapi-client/katana-openapi-client/.venv/bin/python -u -c import sys;exec(eval(sys.stdin.readline())) conf�� get --global penapi-client/.v/opt/hostedtoolcache/CodeQL/2.25.4/x64/codeql/javascript/tools/autobuild.sh http.https://git/home/REDACTED/work/katana-openapi-client/katana-openapi-client/.git/hooks/pre-commit (dns block)
• cafe.github.com
  • Triggering command: /usr/bin/gh /usr/bin/gh send-telemetry (dns block)
• esm.sh
  • Triggering command: /home/REDACTED/work/katana-openapi-client/katana-openapi-client/.venv/bin/python /home/REDACTED/work/katana-openapi-client/katana-openapi-client/.venv/bin/python -m fastmcp.cli dev apps /home/REDACTED/work/katana-openapi-client/katana-openapi-client/katana_mcp_server/tests/browser/render_test_server.py:mcp --mcp-port 18877 --dev-port 18876 --no-reload (dns block)
• https://api.github.com/repos/dougborg/katana-openapi-client/actions/runs/26458869066
  • Triggering command: /usr/bin/gh gh run view 26458869066 --log (http block)
• https://api.github.com/repos/dougborg/katana-openapi-client/code-scanning/analyses
  • Triggering command: /usr/bin/gh gh api repos/dougborg/katana-openapi-client/code-scanning/analyses --paginate /home/REDACTED/work/katana-openapi-client/katana-openapi-client/.github /home/REDACTED/work/katana-openapi-client/katana-openapi-client (http block)
• https://api.github.com/repos/dougborg/katana-openapi-client/code-scanning/default-setup
  • Triggering command: /usr/bin/gh gh api repos/dougborg/katana-openapi-client/code-scanning/default-setup (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Original prompt

Fix the failing CodeQL job for pull request #839 in repository dougborg/katana-openapi-client.

Context:

• PR: feat(harness): add Katana official MCP + refresh upstream specs #839
• PR title: feat(harness): add Katana official MCP + refresh upstream specs
• Head branch: worktree-federated-kindling-clock
• Base branch: main
• Failing job ID: 77900675611
• The failure occurs during CodeQL init before analysis starts.

Observed failure from logs:

• The job attempts to use CodeQL CLI version 2.25.5.
• It tries to download https://github.com/github/codeql-action/releases/download/codeql-bundle-v2.25.5/codeql-bundle-linux64.tar.zst
• The download returns HTTP 404.
• The job fails with Unable to download and extract CodeQL CLI: Unexpected HTTP response: 404.

Requested work:

1. Inspect the repository’s GitHub Actions / CodeQL workflow definition(s) and any referenced reusable workflow or configuration involved in PR feat(harness): add Katana official MCP + refresh upstream specs #839.
2. Identify where the invalid CodeQL bundle/tool version is being pinned or configured.
3. Modify the workflow/config so the job no longer requests unavailable CodeQL tools version 2.25.5.
4. Prefer the minimal, correct fix. If possible, rely on supported github/codeql-action@v4 defaults rather than manually pinning a bundle version.
5. Keep the change focused on fixing the CI failure only.
6. Commit the fix to the PR branch and open/update the pull request as appropriate.

Please include a concise explanation in the PR changes of what was changed and why.

The following is the prior conversation context from the user's chat exploration (may be truncated):

User: Please find a solution for failing job 77900675611. Use the logs, job definition, and any referenced files where the failure occurred. Keep your response focused on the solution and include code suggestions when appropriate.

Assistant: The failure is in the CodeQL initialization step, not in your application code.

Root cause

The job is trying to download a CodeQL bundle that does not exist:

• Requested version: 2.25.5
• Failing URL: https://github.com/github/codeql-action/releases/download/codeql-bundle-v2.25.5/codeql-bundle-linux64.tar.zst
• Result: 404

From the log:

• Did not find CodeQL tools version 2.25.5 in the toolcache
• Failed to download CodeQL bundle ... HTTP status code: 404
• Unable to download and extract CodeQL CLI: Unexpected HTTP response: 404

This means the workflow or organization-level CodeQL setup is pinned to an invalid/unavailable bundle version.

Solution

Update the CodeQL workflow/config so it no longer requests 2.25.5.

Best fix

If your workflow explicitly pins the CodeQL action or tools version, remove the tools-version pin and use the current supported action release.

Example:

- uses: github/codeql-action/init@v4
  with:
    languages: <your-languages>

and:

- uses: github/codeql-action/analyze@v4

If you are explicitly setting a CodeQL CLI/tools version

Change or remove the setting that forces 2.25.5.

Example of what to remove or update:

with:
  tools: 2.25.5

or any equivalent config that pins the bundle version.

Why this is the correct fix

The job fails before analysis starts, during CodeQL bundle download. Since the error is an external 404 for the requested bundle, the only actionable repository-side fix is to stop requesting that unavailable version.

What to change in practice

Search your CodeQL workflow definition and any shared/reusable workflow or org-level template for:

• 2.25.5
• codeql-bundle-v2.25.5
• any CodeQL tools/version pin

Then update it to a valid supported configuration, preferably just using github/codeql-action@v4 without a manual tools-version override.

Suggested code change

If your current job looks something like this:

- uses: github/codeql-action/init@v4
  with:
    languages: javascript
    tools: 2.25.5

change it to:

- uses: github/codeql-action/init@v4
  with:
    languages: javascript

If a shared workflow is injecting the version pin, remove it there instead.

Summary

This PR is failing because CodeQL is pinned to an unavailable bundle version (2.25.5). Remove that pin or update it to a valid version in the CodeQL workflow definition or reusable workflow referenced by dynamic/github-code-scanning/codeql at ref f0f77a2c2cd883d54bb517561c3dfb5135f1fe23.

User: make the change for me please.

Assistant: I’m waiting for your confirmation on the proposed repository change so I can continue and make the fix.

This pull request was created from Copilot chat.

[Copilot]

Pull request overview

Adds an explicit “advanced” CodeQL workflow to ensure the repository uses github/codeql-action@v4 with default tool selection, avoiding the failing generated/default Code Scanning setup that attempted to download an unavailable CodeQL CLI bundle (2.25.5).

Changes:

• Introduces .github/workflows/codeql.yml to run CodeQL on pushes/PRs to main plus a weekly schedule.
• Uses github/codeql-action/init@v4 and github/codeql-action/analyze@v4 for Python analysis without pinning a CodeQL tools version.

[Copilot]

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated no new comments.