feather-reader 0.2.2

A minimalist, atproto-native RSS/Atom reader in Rust — your feed subscriptions live in your own PDS.
Documentation
name: CodeQL

# GitHub's semantic code-scanning (SAST). Results land in the Security tab.
#
# ── RUNNER / COST TRADEOFF ────────────────────────────────────────────────────
# CodeQL is DESIGNED FOR GITHUB-HOSTED runners (the Actions bundle ships the
# CodeQL CLI + query packs; the self-hosted CI VM does not). So this workflow
# uses `ubuntu-latest`, NOT the self-hosted runner.
#
#   * While the repo is PRIVATE, GitHub-hosted runs consume Actions minutes.
#   * Once the repo is PUBLIC, GitHub-hosted Actions (and code scanning) are
#     FREE — this is the intended steady state for the OSS release.
#
# Now the repo is public, GitHub-hosted Actions + code scanning are free, so it
# runs on every PR to `main` (per-PR SAST), on push to `main`, and on a weekly
# schedule. See .github/workflows/README.md.
#
# ── LANGUAGES ─────────────────────────────────────────────────────────────────
#   * javascript-typescript — the OAuth sidecar (oauth-sidecar/).
#   * rust — DROPPED: CodeQL's Rust extractor (public beta) errored on ALL source
#     files here (0 extracted OK / 11 with errors), producing no usable analysis.
#     Rust is covered by clippy (-D warnings) + cargo-deny + cargo-audit. Re-add
#     the `rust` matrix entry once GitHub GA's a working Rust pack.

# ── TRIGGERS / SCORECARD SAST COVERAGE ────────────────────────────────────────
# Runs on EVERY pull_request targeting `main` (so every merged PR carries a
# CodeQL check-run), on push to `main`, on a weekly deep scan, and manually.
#
# Do NOT add a `paths:`/`paths-ignore:` filter here. OSSF Scorecard's SAST check
# samples recent merged PRs and expects a CodeQL check-run on each — including
# config-only PRs (e.g. a lone Cargo.toml / *.yml change). A path filter would
# skip those, drop the check-run, and regress the Scorecard SAST score. The
# single javascript-typescript leg is cheap (~1 min) and always produces the run.
on:
  push:
    branches: [main]
  pull_request:
    branches: [main]
  schedule:
    - cron: "27 4 * * 1"  # Mondays 04:27 UTC — weekly deep scan
  workflow_dispatch:

# Least-privilege default for the workflow; the analyze job grants itself the
# security-events: write it needs to upload SARIF.
permissions:
  contents: read

concurrency:
  group: codeql-${{ github.ref }}
  cancel-in-progress: true

jobs:
  analyze:
    name: Analyze (${{ matrix.language }})
    # Code scanning needs GitHub Advanced Security on a PRIVATE repo, so the SARIF
    # upload fails while private. Skip until the repo is public (free + enabled then).
    if: ${{ github.event.repository.private == false }}
    runs-on: ubuntu-latest  # GitHub-hosted: free once public; see header note
    permissions:
      actions: read
      contents: read
      security-events: write  # upload SARIF to the Security tab
    strategy:
      fail-fast: false
      matrix:
        language: [javascript-typescript]  # rust dropped — see header (extractor beta errors on all files)
    steps:
      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7

      - name: Initialize CodeQL
        uses: github/codeql-action/init@99df26d4f13ea111d4ec1a7dddef6063f76b97e9 # v4
        with:
          languages: ${{ matrix.language }}
          # `security-and-quality` = the broader query suite (security + code
          # quality), a good default for a new OSS project.
          queries: security-and-quality

      # Rust + TypeScript are both no-build (CodeQL extracts from source /
      # autobuilds). If the Rust extractor ever needs a real build, replace this
      # with an explicit `cargo build` step guarded on matrix.language == rust.
      - name: Autobuild
        uses: github/codeql-action/autobuild@99df26d4f13ea111d4ec1a7dddef6063f76b97e9 # v4

      - name: Perform CodeQL analysis
        uses: github/codeql-action/analyze@99df26d4f13ea111d4ec1a7dddef6063f76b97e9 # v4
        with:
          category: "/language:${{ matrix.language }}"