# CodeQL analysis config for certctl.
#
# Loaded by .github/workflows/codeql.yml's `Initialize CodeQL` step via
# `config-file:`. Two responsibilities:
#
#  1. Re-declare the query suite the workflow runs (security-and-quality)
#     so that disabling the action's default suite via `disable-default-
#     queries: true` doesn't accidentally drop coverage.
#
#  2. Load the local model pack at .github/codeql/certctl-models/, which
#     adds project-specific Models-as-Data extensions (barriers, sinks,
#     summaries) for the standard Go queries. See
#     certctl-models/qlpack.yml for the full motivation.
#
# Path-ignore is intentionally empty — every path that ships with the
# repo is in scope. Test files are NOT excluded; if a vulnerability
# regresses in a test fixture and is later promoted to production, we
# want CodeQL to catch it on first appearance.

name: certctl-codeql

# Run the same query suite the workflow has been running pre-config-file:
# security-and-quality (security findings + maintainability/correctness).
# Listing it here ensures the suite stays in scope even if the action's
# default behavior shifts.
queries:
  - uses: security-and-quality

# Load the local model pack BY NAME. The action's `init` step resolves
# this name against the path it was given via `additional-packs: .github/
# codeql` — that path is the parent directory of certctl-models/, where
# the pack's qlpack.yml declares `name: shankar0123/certctl-models`.
#
# An earlier draft used `packs: { go: ['./'] }` (a relative path). That's
# the wrong syntax — the `packs:` field expects pack NAMES, not paths.
# Local-by-path is not supported here; the discovery happens via
# additional-packs + name lookup. Verified against the github/vscode-codeql
# working setup.
packs:
  go:
    - shankar0123/certctl-models