From 86f87f13673d5f523132baaaf7967881ff4079eb Mon Sep 17 00:00:00 2001
From: Tirso Garcia <tgarciaib@gmail.com>
Date: Wed, 18 Mar 2026 21:22:44 +0100
Subject: [PATCH] feat: add CodeQL security scanning to workspace CI

Adds CodeQL static analysis job (Go) to the workspace CI pipeline,
matching the tool-learning CI which already has CodeQL.

Scans workspace code only (excludes services/ and e2e/).
Builds with k8s tag to cover all code paths.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .github/workflows/ci.yml | 33 +++++++++++++++++++++++++++++++++
 1 file changed, 33 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 12b1e11..25b2635 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -189,6 +189,39 @@ jobs:
         run: govulncheck ./...
         continue-on-error: true
 
+  # ──────────────────────────────────────────────
+  # CodeQL — static analysis for security
+  # ──────────────────────────────────────────────
+  codeql:
+    name: CodeQL
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-go@v5
+        with:
+          go-version: ${{ env.GO_VERSION }}
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: go
+          config: |
+            paths-ignore:
+              - services
+              - e2e
+
+      - name: Build
+        run: CGO_ENABLED=0 go build -tags k8s ./...
+
+      - name: Perform CodeQL analysis
+        uses: github/codeql-action/analyze@v3
+        with:
+          category: workspace
+
   # ──────────────────────────────────────────────
   # Docker — image build
   # ──────────────────────────────────────────────