From 2061ea04b4b7e02221ce81993736ccc9653d0a7c Mon Sep 17 00:00:00 2001
From: Angu Prasad <angu.prasad@gomotive.com>
Date: Thu, 14 May 2026 21:30:22 +0400
Subject: [PATCH] ci(PRODSEC-343): consolidate CodeQL workflows into single
 unified scan - codeql.yml

---
 .github/workflows/codeql.yml | 37 ++++++++++++++++++++++++++++++++++++
 1 file changed, 37 insertions(+)
 create mode 100644 .github/workflows/codeql.yml

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
new file mode 100644
index 00000000000..9eebe52d646
--- /dev/null
+++ b/.github/workflows/codeql.yml
@@ -0,0 +1,37 @@
+name: "CodeQL"
+
+on:
+  schedule:
+    - cron: '0 1 * * *'  # Daily at 01:00 UTC
+  workflow_dispatch:
+    inputs:
+      ref:
+        description: 'Branch or tag to scan (leave empty for default branch)'
+        required: false
+        default: ''
+  pull_request:
+    types: [opened, reopened, ready_for_review, synchronize]
+    # branches: [master, main]
+
+# Cancel in-progress PR scans when new commits arrive; never cancel full scans.
+concurrency:
+  group: codeql-unified-${{ github.repository }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+
+jobs:
+  scan:
+    # Skip draft PRs. Non-PR events are never drafts so this guard is a no-op
+    # for schedule/workflow_dispatch.
+    if: ${{ github.event_name != 'pull_request' || !github.event.pull_request.draft }}
+    uses: KeepTruckin/security-scanners/.github/workflows/codeql-scan.yml@master
+    with:
+      ref: ${{ inputs.ref || '' }}
+      # Full scans (schedule/dispatch) seed the overlay-base cache for PR scans.
+      # PR scans restore it read-only — they must NOT overwrite it.
+      save-cache: ${{ github.event_name != 'pull_request' }}
+    secrets: inherit
+    permissions:
+      security-events: write
+      contents: read
+      actions: read
+      packages: read