From a822a38c842ca369ab5e015b8f9c0232c28fd602 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Wed, 10 Jun 2026 07:32:22 +0000
Subject: [PATCH 1/4] Initial plan


From 4430432eb239b7cd5d773e612b717a9276c4886e Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Wed, 10 Jun 2026 07:33:55 +0000
Subject: [PATCH 2/4] ci: add containerized CodeQL workflow replacing
 settings-generated job

---
 .github/workflows/codeql.yml | 46 ++++++++++++++++++++++++++++++++++++
 1 file changed, 46 insertions(+)
 create mode 100644 .github/workflows/codeql.yml

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
new file mode 100644
index 0000000..1618cd1
--- /dev/null
+++ b/.github/workflows/codeql.yml
@@ -0,0 +1,46 @@
+# This workflow replaces the repository-settings-generated CodeQL setup.
+# Running the job in a container avoids workspace permission issues on
+# self-hosted runners and keeps the build environment fully isolated.
+name: CodeQL
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  schedule:
+    - cron: '0 6 * * 1'
+
+jobs:
+  analyze:
+    name: Analyze (cpp)
+    runs-on: self-hosted
+
+    container:
+      image: buildpack-deps:jammy
+
+    defaults:
+      run:
+        shell: bash
+
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v4
+        with:
+          languages: cpp
+
+      - name: Build
+        run: |
+          make clean || true
+          make -j"$(nproc)"
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v4

From 0721a64cadb454e24861f27ea07dc131e59106f9 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Wed, 10 Jun 2026 07:34:27 +0000
Subject: [PATCH 3/4] ci: clarify make clean || true intent with inline comment

---
 .github/workflows/codeql.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 1618cd1..2b9f357 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -39,7 +39,7 @@ jobs:
 
       - name: Build
         run: |
-          make clean || true
+          make clean || true  # tolerate missing or no-op clean target
           make -j"$(nproc)"
 
       - name: Perform CodeQL Analysis

From bd42e5fc83317374506328147604ee8b6463db12 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Wed, 10 Jun 2026 07:42:42 +0000
Subject: [PATCH 4/4] ci: add safe.directory config to fix git ownership errors
 in container

---
 .github/workflows/codeql.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 2b9f357..2fab649 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -29,6 +29,9 @@ jobs:
       security-events: write
 
     steps:
+      - name: Configure Git safe directory
+        run: git config --global --add safe.directory '*'
+
       - name: Checkout
         uses: actions/checkout@v6