chore: import org workflows

[gentamura]

Summary

• migrate codeql, dependency-review, and oss-scorecard workflows from the org-level .github repo into listee-ci so downstream repos can them
• pin every external action (checkout, codeql upload-sarif) to full commit SHAs for supply-chain safety

Testing

• not applicable (workflow-only change)

Summary by CodeRabbit

• Chores
  • Added an automated CodeQL security analysis workflow to run on main, pull requests, and on a schedule, with language/build matrix support and guidance for manual build steps.
  • Added a dependency review workflow to enforce license policies (allow/warn/deny lists) on pull requests.
  • Added a supply-chain security scorecard workflow to run assessments, produce SARIF results, and publish findings.

[coderabbitai]

Walkthrough

Adds three new GitHub Actions workflows under .github/workflows/: a CodeQL Advanced workflow, a Dependency Review workflow with license checks, and an OSSF Scorecard workflow that produces SARIF and uploads artifacts. Triggers, permissions, and steps are declared per workflow.

Changes

Cohort / File(s)	Change Summary
CodeQL workflow ​.github/workflows/codeql.yml	New CodeQL Advanced workflow: triggers on push/PR to main and schedule; matrix for javascript-typescript with build-mode: none; conditional runner selection; permissions set; steps: checkout, CodeQL init, optional manual-build conditional, and analysis/upload (language-scoped).
Dependency review workflow ​.github/workflows/dependency-review.yml	New Dependency Review workflow: triggers on pull_request (opened/synchronize/reopened); uses ubuntu-latest with pinned checkout; runs dependency-review-action with license-check: true and configured allow/warn/deny license lists.
OSSF Scorecard workflow ​.github/workflows/oss-scorecard.yml	New Scorecard supply-chain workflow: triggers on branch-protection schedule and push to main; scoped permissions (security-events, id-token); runs OSSF Scorecard, emits SARIF, uploads SARIF artifact, and includes optional code-scanning publish guidance.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  participant Dev as Developer
  participant GH as GitHub
  participant Runner as Actions Runner
  participant CodeQL as CodeQL Action
  participant DepRev as Dependency Review Action
  participant Score as OSSF Scorecard
  participant Artifact as SARIF Artifact

  Dev->>GH: push / open PR / scheduled
  GH->>Runner: trigger workflows
  alt CodeQL workflow
    Runner->>Runner: checkout repo
    Runner->>CodeQL: init (lang=js/ts, build-mode=none)
    CodeQL-->>Runner: analyze & produce results
    Runner->>GH: upload analysis (category/SARIF)
  end
  alt Dependency Review workflow
    Runner->>Runner: checkout repo
    Runner->>DepRev: run dependency-review-action (license checks)
    DepRev-->>GH: post review report / comments
  end
  alt OSSF Scorecard workflow
    Runner->>Runner: checkout repo
    Runner->>Score: run scorecard (produce SARIF)
    Score->>Artifact: upload SARIF artifact
    Artifact-->>GH: artifact available / optional publish
  end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

• Check pinned action versions and permission scopes in all three workflows.
• Validate the dependency-review license allow/warn/deny lists (.github/workflows/dependency-review.yml).
• Inspect CodeQL build-mode conditional and any manual-build guidance (.github/workflows/codeql.yml).
• Confirm SARIF generation, artifact upload, and optional code-scanning publish settings (.github/workflows/oss-scorecard.yml).

Poem

🐰 I hopped through YAML lines tonight,

workflows woke and checks took flight,
CodeQL sniffed the code-paths true,
licenses tallied, scorecard too,
carrot-ci gleams in morning light.

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly summarizes the main change: importing organization workflows into the repository.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch chore/migrate-org-workflows

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 3d53aed and 93d3f7d.

📒 Files selected for processing (1)

• .github/workflows/dependency-review.yml (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/dependency-review.yml

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-advanced-security]

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ec6f35d and a0c2a7e.

📒 Files selected for processing (3)

• .github/workflows/codeql.yml (1 hunks)
• .github/workflows/dependency-review.yml (1 hunks)
• .github/workflows/oss-scorecard.yml (1 hunks)

🧰 Additional context used

📓 Path-based instructions (3)

.github/**/*.yml

📄 CodeRabbit inference engine (AGENTS.md)

YAML files use 2-space indentation and filenames use kebab-case with .yml extension

Files:

• .github/workflows/codeql.yml
• .github/workflows/oss-scorecard.yml
• .github/workflows/dependency-review.yml

.github/workflows/*.yml

📄 CodeRabbit inference engine (AGENTS.md)

.github/workflows/*.yml: Workflow job IDs are lowercase and concise; step name fields are human-readable
Reference the internal composite action relatively as ./.github/actions/setup-bun so it works with both act and GitHub

Files:

• .github/workflows/codeql.yml
• .github/workflows/oss-scorecard.yml
• .github/workflows/dependency-review.yml

.github/{workflows,actions}/**/*.{yml,yaml}

📄 CodeRabbit inference engine (AGENTS.md)

External actions must use stable, versioned tags (e.g., actions/checkout@v5)

Files:

• .github/workflows/codeql.yml
• .github/workflows/oss-scorecard.yml
• .github/workflows/dependency-review.yml

🧠 Learnings (3)

📓 Common learnings

Learnt from: gentamura
Repo: listee-dev/listee-ci PR: 7
File: .github/workflows/release.yml:22-22
Timestamp: 2025-10-01T23:55:49.798Z
Learning: In reusable workflows (workflow_call) within the listee-ci repository, composite actions from the same repository must be referenced using the full repository path with a commit SHA (e.g., `listee-dev/listee-ci/.github/actions/setup-bun@<commit-sha>`), not relative paths, because relative paths resolve against the caller's repository context.

Learnt from: gentamura
Repo: listee-dev/listee-ci PR: 7
File: .github/workflows/lint.yml:13-13
Timestamp: 2025-10-02T11:13:06.521Z
Learning: For non-reusable workflows (triggered directly by events like push, pull_request, etc.) in the listee-ci repository, composite actions from the same repository can be referenced using relative paths like `./.github/actions/<action-name>` because the workflow executes in its own repository context where relative paths resolve correctly.

Learnt from: gentamura
Repo: listee-dev/listee-ci PR: 7
File: .github/workflows/typecheck.yml:13-13
Timestamp: 2025-10-01T23:56:01.747Z
Learning: For reusable workflows (workflow_call) in listee-ci, composite actions from the same repository must be referenced using the repo-qualified path format `listee-dev/listee-ci/.github/actions/<action-name>@<commit-sha>` because relative paths would resolve against the caller's repository, not the workflow's repository.

Learnt from: CR
Repo: listee-dev/listee-ci PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-09-20T12:49:53.689Z
Learning: Applies to .github/workflows/{lint,test,typecheck,release}.yml : Common reusable workflows must exist at .github/workflows/lint.yml, test.yml, typecheck.yml, and release.yml

Learnt from: CR
Repo: listee-dev/listee-ci PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-09-20T12:49:53.689Z
Learning: Applies to .github/{workflows,actions}/**/*.{yml,yaml} : External actions must use stable, versioned tags (e.g., actions/checkoutv5)

📚 Learning: 2025-09-20T12:49:53.689Z

Learnt from: CR
Repo: listee-dev/listee-ci PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-09-20T12:49:53.689Z
Learning: Applies to .github/{workflows,actions}/**/*.{yml,yaml} : External actions must use stable, versioned tags (e.g., actions/checkoutv5)

Applied to files:

• .github/workflows/dependency-review.yml

📚 Learning: 2025-09-20T12:49:53.689Z

Learnt from: CR
Repo: listee-dev/listee-ci PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-09-20T12:49:53.689Z
Learning: Applies to .github/workflows/pinact.yml : Include and use pinact.yml workflow to enforce pinned action references

Applied to files:

• .github/workflows/dependency-review.yml

🔇 Additional comments (3)

.github/workflows/oss-scorecard.yml (1)

1-80: All external actions properly pinned to commit SHAs.

This workflow correctly pins all external actions to full commit SHAs with version tags as comments, meeting the PR objective for supply-chain safety. The structure, permissions, and job logic are sound.

.github/workflows/codeql.yml (1)

68-68: Pin codeql-action references to commit SHAs instead of version tags.

The PR objective requires pinning every external action to full commit SHAs for supply-chain safety. Lines 68 and 96 use @v3 tags instead of commit SHAs.

Update both references to use the commit SHA ab2e54f42aa112ff08704159b88a57517f6f0ebb with the version as a comment:

-      uses: github/codeql-action/init@v3
+      uses: github/codeql-action/init@ab2e54f42aa112ff08704159b88a57517f6f0ebb # v3

-      uses: github/codeql-action/analyze@v3
+      uses: github/codeql-action/analyze@ab2e54f42aa112ff08704159b88a57517f6f0ebb # v3

⛔ Skipped due to learnings

Learnt from: CR
Repo: listee-dev/listee-ci PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-09-20T12:49:53.689Z
Learning: Applies to .github/{workflows,actions}/**/*.{yml,yaml} : External actions must use stable, versioned tags (e.g., actions/checkoutv5)

Learnt from: CR
Repo: listee-dev/listee-ci PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-09-20T12:49:53.689Z
Learning: Applies to .github/workflows/pinact.yml : Include and use pinact.yml workflow to enforce pinned action references

Learnt from: gentamura
Repo: listee-dev/listee-ci PR: 7
File: .github/workflows/release.yml:22-22
Timestamp: 2025-10-01T23:55:49.798Z
Learning: In reusable workflows (workflow_call) within the listee-ci repository, composite actions from the same repository must be referenced using the full repository path with a commit SHA (e.g., `listee-dev/listee-ci/.github/actions/setup-bun@<commit-sha>`), not relative paths, because relative paths resolve against the caller's repository context.

.github/workflows/dependency-review.yml (1)

17-17: Pin dependency-review-action to a commit SHA, not a version tag.

The PR objective requires pinning every external action to full commit SHAs for supply-chain safety. Line 17 uses @v4 (tag) instead of a commit SHA.

Update line 17:

-        uses: actions/dependency-review-action@v4
+        uses: actions/dependency-review-action@46a3c492319c890177366b6ef46d6b4f89743ed4 # v4

⛔ Skipped due to learnings

Learnt from: CR
Repo: listee-dev/listee-ci PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-09-20T12:49:53.689Z
Learning: Applies to .github/{workflows,actions}/**/*.{yml,yaml} : External actions must use stable, versioned tags (e.g., actions/checkoutv5)

Learnt from: CR
Repo: listee-dev/listee-ci PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-09-20T12:49:53.689Z
Learning: Applies to .github/workflows/pinact.yml : Include and use pinact.yml workflow to enforce pinned action references

Learnt from: gentamura
Repo: listee-dev/listee-ci PR: 7
File: .github/workflows/release.yml:22-22
Timestamp: 2025-10-01T23:55:49.798Z
Learning: In reusable workflows (workflow_call) within the listee-ci repository, composite actions from the same repository must be referenced using the full repository path with a commit SHA (e.g., `listee-dev/listee-ci/.github/actions/setup-bun@<commit-sha>`), not relative paths, because relative paths resolve against the caller's repository context.

Learnt from: CR
Repo: listee-dev/listee-ci PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-09-20T12:49:53.689Z
Learning: Applies to .github/actions/setup-bun/action.@(yml|yaml) : The composite action at .github/actions/setup-bun installs Bun and runs `bun install --frozen-lockfile`