Skip to content

[Feat] Add CodeQL triage automation settings and UI#407

Merged
mrubens merged 4 commits into
developfrom
feature/codeql-triage-settings-ui-17upbzqg6ulow
Jul 16, 2026
Merged

[Feat] Add CodeQL triage automation settings and UI#407
mrubens merged 4 commits into
developfrom
feature/codeql-triage-settings-ui-17upbzqg6ulow

Conversation

@roomote-roomote

@roomote-roomote roomote-roomote Bot commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

Opened on behalf of Matt Rubens. Follow up by mentioning @roomote-roomote, in the web UI, or in Slack.

What changed

Adds Triage CodeQL Alerts as a first-class scheduled automation, mirrored from Dependabot triage end-to-end:

  • Automations settings UI card (after Dependabot) with schedule Off/Daily/Weekly, Slack/Discord destination, and CodeQL/code-scanning remediation copy
  • Web settings save/read and tRPC input schema wiring for codeqlTriage / codeql_triage
  • Supporting types, DB projection, scheduled job, skill invocation, and suggestion prompt plumbing
  • Public docs for the automation and GitHub code-scanning alert permissions
  • Fast-path GitHub App manifest now requests security_events: read so newly created apps can list CodeQL / code-scanning alerts

Why this change was made

Teams already have Dependabot triage; CodeQL/code-scanning alerts need the same scan → prioritize → launch focused remediation tasks loop without manually opening follow-up work. Without code-scanning read access on the GitHub App, scheduled triage cannot retrieve alerts.

Impact

Admins can enable CodeQL triage on a schedule (or run now), choose a reporting channel, and get implement-changes follow-ups from open code-scanning/CodeQL alerts. The scan itself does not open PRs. New apps created through Roomote’s GitHub App manifest already include the permission needed for those alert reads.

Screenshots

Automations list with CodeQL card after Dependabot

Expanded CodeQL card schedule options Never/Daily/Once a week

Wire codeql_triage through web automations settings (save/read/_app zod)
and the Automations UI card after Dependabot, alongside supporting
types/db/job/skill plumbing that mirror Dependabot triage.
@roomote-roomote

roomote-roomote Bot commented Jul 16, 2026

Copy link
Copy Markdown
Contributor Author

No new code issues found. See task

  • Medium: Add security_events: 'read' to the GitHub App manifest permissions in apps/web/src/trpc/commands/github/mutations.ts and update its manifest test. Fixed in 7296597.

Reviewed a6684cf

Add CodeQL triage docs next to Dependabot, note code-scanning alert
permissions, and cover explicit \$codeql-triage packaged-skill routing.
@roomote-roomote

roomote-roomote Bot commented Jul 16, 2026

Copy link
Copy Markdown
Contributor Author

Fixed the outstanding review item in 7296597:

  • Added security_events: 'read' to the fast-path GitHub App manifest permissions
  • Updated the manifest unit test to assert the new permission

New apps created through Roomote’s form will include code-scanning/CodeQL alert read access. Existing installed apps still need a permission upgrade on GitHub if they were created before this change.

mrubens added 2 commits July 16, 2026 03:58
Add security_events: read so fast-path created apps can retrieve CodeQL /
code-scanning alerts for scheduled triage.
@mrubens
mrubens marked this pull request as ready for review July 16, 2026 17:31
@mrubens
mrubens merged commit b8e96a7 into develop Jul 16, 2026
17 checks passed
@mrubens
mrubens deleted the feature/codeql-triage-settings-ui-17upbzqg6ulow branch July 16, 2026 17:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant