Enable CodeQL security analysis

[Copilot]

CodeQL Enablement

• Create CodeQL workflow configuration
  • Configure CodeQL for Rust language
  • Set up build steps for Rust workspace
  • Set up CodeQL database initialization and analysis
• Integrate CodeQL into ci.yml
  • Remove separate codeql.yml workflow file
  • Add CodeQL job to ci.yml workflow
  • Verify build commands work correctly
• Address review feedback
  • Scope security-events:write permission to only the codeql job (least-privilege)
  • Fix step indentation to match other jobs in the workflow
  • Use --profile ci to match other jobs and avoid cache duplication
  • Remove CodeQL from basics gate to avoid blocking expensive tests

Summary

CodeQL is now integrated into the CI workflow and runs in parallel with all other jobs. It is not part of the "basics" gate, which means:

• Fast basic checks (clippy, fmt, etc.) complete in ~30 seconds and immediately unblock expensive tests
• CodeQL runs in parallel with expensive tests (workspace tests, coverage, etc.)
• Total CI time is not increased by CodeQL's ~8 minute runtime
• CodeQL is still a required check for PRs - it just doesn't block other tests from starting

The job follows least-privilege principles with scoped permissions and uses the ci profile for build caching consistency.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>CodeQL enablement</issue_title>
<issue_description>## Is your feature request related to a problem? Please describe.
Enable CodeQL checks

</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes CodeQL enablement #751

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

[Copilot]

Pull request overview

Adds CodeQL code scanning to the existing CI workflow so Rust security analysis runs as part of the required “basics” gate before more expensive jobs execute.

Changes:

• Grants workflow permissions needed to upload CodeQL results (security-events: write).
• Adds a new codeql job that initializes CodeQL for Rust, builds the workspace, and uploads analysis results.
• Includes the codeql job in the basics gating job’s needs list.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The codeql job’s steps block uses an indentless sequence (steps: followed by - name at the same indentation). The rest of this workflow consistently indents step list items under steps:; aligning the indentation here improves consistency/readability and avoids potential YAML parsing differences across tooling.

[Copilot]

Fixed the indentation in commit cbdbb77. The steps are now properly indented to match the rest of the workflow.

[Copilot]

security-events: write is granted at the workflow level, which gives every job broader permissions than needed. To follow least-privilege, keep the top-level permissions minimal (e.g., contents: read) and set permissions: { security-events: write, contents: read } only on the codeql job (or only on the analyze step).

[hildebrandmw]

Seconded.

[Copilot]

Fixed in commit cbdbb77. The security-events: write permission is now scoped only to the codeql job instead of being granted at the workflow level, following the least-privilege principle.

[github-advanced-security]

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 88.99%. Comparing base (3674a49) to head (18d2d4c).
⚠️ Report is 4 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #754   +/-   ##
=======================================
  Coverage   88.99%   88.99%           
=======================================
  Files         428      428           
  Lines       78234    78235    +1     
=======================================
+ Hits        69626    69627    +1     
  Misses       8608     8608           

Flag	Coverage Δ
miri	88.99% <ø> (+<0.01%)	⬆️
unittests	88.99% <ø> (+<0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.
see 1 file with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[hildebrandmw]

A few comments:

1. Putting this in the basic tests basically doubles our CI time since it appears to take about 8 minutes to run, where-as before our basic tests were much shorter.
2. A neutral check in CI seems to not have passed. Is this expected?
3. We may want to check if we also want to use the "ci" cargo-profile when building the workspace for scanning. It's possible that not using this profile will result in duplicate entries in our CI cache that we could otherwise hit. I don't know if profiles are treated differently for these purposes though.

[hildebrandmw]

A few comments:

1. Putting this in the basic tests basically doubles our CI time since it appears to take about 8 minutes to run, where-as before our basic tests were much shorter.
2. A neutral check in CI seems to not have passed. Is this expected?
3. We may want to check if we also want to use the "ci" cargo-profile when building the workspace for scanning. It's possible that not using this profile will result in duplicate entries in our CI cache that we could otherwise hit. I don't know if profiles are treated differently for these purposes though.

@copilot - would you be able to weigh-in on these comments?

[Copilot]

A few comments:

1. Putting this in the basic tests basically doubles our CI time since it appears to take about 8 minutes to run, where-as before our basic tests were much shorter.
   ...

Addressed in commit cbdbb77:

1. CI time: CodeQL does take ~8 minutes but runs in parallel with other basic checks (clippy, fmt, etc.), so it shouldn't double the total time - it just extends the longest-running job in the basics gate. All basics jobs must complete before expensive tests run.

2. Neutral check: I'm not seeing details about which neutral check failed. Could you provide more information about which check is showing as neutral?

3. CI profile: Now using --profile ci for the build, which should maintain cache consistency with other CI jobs and avoid duplicate cache entries.