CodeQL 1: chore(codeql): exclude generated build artifacts from scanning

[rlorenzo]

Summary

• Move CodeQL query config from inline (queries: security-and-quality) into a new .github/codeql/codeql-config.yml and reference it via config-file: in the workflow.
• Add paths-ignore for **/obj/** and **/bin/** so CodeQL stops reporting alerts on Roslyn-generated .g.cs files (Razor source generator output, xUnit auto-entry-point).

Why

The Razor source generator and xUnit auto-entrypoint generator emit real C# files into obj/ during autobuild. CodeQL traces the build and ingests those generated files, producing noise we cannot act on:

• 50× cs/missed-readonly-modifier in web/obj/.../RazorSourceGenerator/Areas/**
• 1× cs/missed-ternary-operator in test/obj/.../XunitAutoGeneratedEntryPoint.cs

Filtering these out at the config level gives a clean alert list that reflects code we own.

Context

First in a planned CodeQL N: series of cleanup PRs separate from the existing stacked-refactor series (#176–#179). See repo discussion for the full grouping.

Test plan

• CodeQL workflow runs successfully on this PR.
• After merge, the ~50 cs/missed-readonly-modifier alerts and the auto-generated cs/missed-ternary-operator alert close automatically on the next scan.
• No previously visible alert in non-generated code disappears from the dashboard.

[coderabbitai]

Important

Review skipped

Auto reviews are limited based on label configuration.

🏷️ Required labels (at least one) (1)

• review-ready

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: da24b81a-65a1-4c87-96b1-9d9d018e0105

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codeql/1-exclude-generated

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 42.96%. Comparing base (f52e63b) to head (9b39be5).

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #189   +/-   ##
=======================================
  Coverage   42.96%   42.96%           
=======================================
  Files         877      877           
  Lines       51468    51468           
  Branches     4802     4802           
=======================================
  Hits        22113    22113           
  Misses      28831    28831           
  Partials      524      524           

Flag	Coverage Δ
backend	43.04% <ø> (ø)
frontend	41.34% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[codecov-commenter]

Bundle Report

Bundle size has no change ✅