fix(ci): stabilize codeql and scorecard

[gentamura]

Summary

• Switch CodeQL analysis to Actions for this repository
• Update CodeQL action pin used by Scorecard upload
• Skip bun install when package.json is missing in setup-bun
• Update setup-bun pin in reusable workflows to latest commit

Verification

• act -j lint -W .github/workflows/lint.yml --container-architecture linux/amd64 (fails until merged because refs are not on main)

Summary by CodeRabbit

Release Notes

• Chores
  • Updated GitHub Actions workflow dependencies to latest versions for improved compatibility and security
  • Enhanced build process with conditional package validation for greater robustness

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Caution

Review failed

The pull request is closed.

📝 Walkthrough

Walkthrough

This PR updates GitHub Actions workflows and configuration files. Changes include modifying the setup-bun action to conditionally check for package.json before installing dependencies, bumping the setup-bun action version across multiple workflows to newer commit hashes, updating the CodeQL matrix language from javascript-typescript to actions, and upgrading the codeql-action version for SARIF uploads.

Changes

Cohort / File(s)	Summary
Setup Action Configuration \.github/actions/setup-bun/action.yml``	Modified install step to conditionally run bun install --frozen-lockfile only if package.json exists; otherwise echoes skip message
Workflow Version Bumps \.github/workflows/{lint, release, test, typecheck}.yml``	Updated setup-bun action reference to newer commit hash across four workflows; no logic changes to steps or jobs
CodeQL Configuration \.github/workflows/codeql.yml``	Changed CodeQL matrix language entry from javascript-typescript to actions
SARIF Upload Action \.github/workflows/oss-scorecard.yml``	Upgraded codeql-action upload-sarif version from v3.25.4 to v3.31.2 (commit hash updated)

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• chore: add pinact enforcement #2 — Directly modifies \.github/actions/setup-bun/action.yml`` to update setup-bun action pinning
• Update release.yml #14 — Updates \.github/workflows/release.yml`` and modifies Bun setup and dependency-install steps
• Fix setup-bun reference for reusable workflows #7 — Modifies setup-bun action usage across workflows and pins to specific commits

Poem

🐰 A hop, a bump, a version climb,
Fresh commits keep actions in time,
Package checks guard the install dance,
CodeQL eyes take a new glance,
CI workflows spring with delight! 🚀

---

📜 Recent review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 94decc6 and af12dd6.

📒 Files selected for processing (7)

• .github/actions/setup-bun/action.yml
• .github/workflows/codeql.yml
• .github/workflows/lint.yml
• .github/workflows/oss-scorecard.yml
• .github/workflows/release.yml
• .github/workflows/test.yml
• .github/workflows/typecheck.yml

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-advanced-security]

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.