From 8a69788dde8be6709a425265643856929124a0e3 Mon Sep 17 00:00:00 2001
From: "ghas-management[bot]"
 <255882726+ghas-management[bot]@users.noreply.github.com>
Date: Mon, 9 Mar 2026 11:16:26 +0000
Subject: [PATCH 1/2] Enable CodeQL advanced setup

Adds CodeQL workflow for security scanning
---
 .github/workflows/codeql-analysis.yml | 67 +++++++++++++++++++++++++++
 1 file changed, 67 insertions(+)
 create mode 100644 .github/workflows/codeql-analysis.yml

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
new file mode 100644
index 0000000..25542f3
--- /dev/null
+++ b/.github/workflows/codeql-analysis.yml
@@ -0,0 +1,67 @@
+# ghas-management-template-version: 1.0
+
+name: "CodeQL Advanced Security Scanning"
+
+on:
+# Initial proposal is daily runs to avoid overloading runners, teams can uncomment below to enable on push and PR events
+#  push:
+#    branches: [ "main", "master" ]
+#  pull_request:
+#    branches: [ "main", "master" ]
+  schedule:
+    - cron: '56 3 * * *' # Randomized per repository, daily runs somewhere between 22:00 and 06:00 UTC
+  workflow_dispatch:
+
+env:
+  ARTIFACTORY_PASSWORD: ${{ secrets.EE_ARTIFACTORY_PASSWORD }}
+  ARTIFACTORY_URL: ${{ secrets.EE_ARTIFACTORY_URL }}
+  ARTIFACTORY_USERNAME: ${{ secrets.EE_ARTIFACTORY_USERNAME }}
+  VAULT_ROLE_ID: ${{ secrets.VAULT_ROLE_ID }}
+  VAULT_SECRET_ID: ${{ secrets.VAULT_SECRET_ID }}
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ee-runner
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+      packages: read
+
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - language: actions
+            build-mode: none
+          - language: java-kotlin
+            build-mode: manual
+    # For languages that require build, teams must specify the container in which CodeQL will run; if language does not require build this section is removed by automation
+    container:
+      image: 'IMAGE_PLACEHOLDER' # Teams should adapt, should be in the format 'eu.gcr.io/halfpipe-io/build-image'
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v4
+        with:
+          languages: ${{ matrix.language }}
+          build-mode: ${{ matrix.build-mode }}
+          packs: springernature/http4k-poc-models@1.0.0
+
+      - name: Build app
+        if: matrix.build-mode == 'manual'
+        shell: bash
+        run: |
+          'BUILD_COMMAND_PLACEHOLDER'
+        # Teams must specify the build command for their application; if language does not require build this step is removed by automation
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v4
+        with:
+          category: "/language:${{matrix.language}}"
+          threads: 2
\ No newline at end of file

From b6ae6f1d146a8dc2a732ea92c07fada30859c054 Mon Sep 17 00:00:00 2001
From: "ghas-management[bot]"
 <255882726+ghas-management[bot]@users.noreply.github.com>
Date: Tue, 10 Mar 2026 23:16:13 +0000
Subject: [PATCH 2/2] Update CodeQL workflow

Automated workflow update
---
 .github/workflows/codeql-analysis.yml | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 25542f3..3c03ec9 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -1,13 +1,13 @@
-# ghas-management-template-version: 1.0
+# ghas-management-template-version: 1.1
 
 name: "CodeQL Advanced Security Scanning"
 
 on:
-# Initial proposal is daily runs to avoid overloading runners, teams can uncomment below to enable on push and PR events
-#  push:
-#    branches: [ "main", "master" ]
-#  pull_request:
-#    branches: [ "main", "master" ]
+  # Initial proposal is daily runs to avoid overloading runners, teams can uncomment below to enable on push and PR events
+  #  push:
+  #    branches: [ "main", "master" ]
+  #  pull_request:
+  #    branches: [ "main", "master" ]
   schedule:
     - cron: '56 3 * * *' # Randomized per repository, daily runs somewhere between 22:00 and 06:00 UTC
   workflow_dispatch:
@@ -22,7 +22,7 @@ env:
 jobs:
   analyze:
     name: Analyze
-    runs-on: ee-runner
+    runs-on: ubuntu-latest
     permissions:
       actions: read
       contents: read
@@ -43,11 +43,11 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v4
+        uses: github/codeql-action/init@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
         with:
           languages: ${{ matrix.language }}
           build-mode: ${{ matrix.build-mode }}
@@ -61,7 +61,7 @@ jobs:
         # Teams must specify the build command for their application; if language does not require build this step is removed by automation
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v4
+        uses: github/codeql-action/analyze@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
         with:
           category: "/language:${{matrix.language}}"
           threads: 2
\ No newline at end of file