chore(repo): add advanced security with supression & fix issues

[CalinaCristian]

🔒 Enable CodeQL Alert Suppression + Fix Remaining Security Alerts

Adds custom CodeQL workflow to enable in-source alert suppression via lgtm[...] comments, and fixes the last outstanding security alerts.

Changes

New Workflow

• .github/workflows/codeql.yml - Custom CodeQL analysis with:
  • Alert suppression support (AlertSuppression.ql pack)
  • Actions + JavaScript/TypeScript scanning
  • Commit SHA pinning for security
  • persist-credentials: false hardening

Security Fixes (3 alerts)

Alert #75 - Credential Persistence (release.yml)

• Added persist-credentials: false to checkout
• Configured manual git credentials for push operations
• Prevents credential leakage through artifacts

Alert #1 & #64 - Secrets Exposure (vercel-deploy.yml)

• Replaced secrets[matrix.vercel_project_id_secret] with explicit mapping
• Prevents exposure of entire secrets context to runner
• Now only exposes the specific secret needed per matrix job

Why This Matters

Alert Suppression:

• GitHub's default CodeQL setup doesn't include AlertSuppression.ql queries
• Without this workflow, // lgtm[query-id] comments are ignored
• Custom workflow enables maintainable in-source suppressions

Security Improvements:

• Credentials no longer persisted in git config unnecessarily
• Secrets access limited to specific values, not entire context
• Follows principle of least privilege

Testing

• Workflow validated with proper permissions
• Compatible with GitHub's advanced setup recommendations
• Will automatically supersede default CodeQL setup

[Copilot]

Pull request overview

Adds a custom CodeQL workflow to support in-source alert suppression using lgtm[...] comments, and updates existing code/workflows to address remaining CodeQL security alerts.

Changes:

• Added a custom .github/workflows/codeql.yml to run CodeQL (Actions + JS/TS) with alert suppression query pack enabled.
• Hardened CI workflows (release.yml, vercel-deploy.yml) to reduce credential persistence and narrow secret exposure patterns.
• Replaced inline codeql[...] suppression comments with lgtm[...] suppressions in a few code/test locations.

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 6 comments.

Show a summary per file

File	Description
.github/workflows/codeql.yml	New CodeQL workflow with suppression pack and pinned action SHAs.
.github/workflows/release.yml	Disables checkout credential persistence and adjusts git push authentication.
.github/workflows/vercel-deploy.yml	Changes how Vercel project ID secrets are provided per matrix job.
web-packages/ap-chat/src/dev.ts	Switches CodeQL suppression comment to lgtm[...] for dev-only innerHTML.
packages/apollo-wind/src/components/forms/data-fetcher.ts	Switches CodeQL suppression comments to lgtm[...] around new Function().
packages/apollo-react/src/test/canvas-mocks.ts	Switches CodeQL suppression to lgtm[...] for a test mock.
packages/apollo-core/scripts/test/sanitize-svg.test.ts	Switches CodeQL suppressions to lgtm[...] in test-only sanitization logic.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[github-actions]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Review	Updated (PT)
apollo-canvas	🟢 Ready	Preview, Logs	Feb 03, 2026, 12:58:19 AM
apollo-ui-react	🟢 Ready	Preview, Logs	Feb 03, 2026, 12:58:13 AM
apollo-vertex	🟢 Ready	Preview, Logs	Feb 03, 2026, 12:58:49 AM
apollo-wind	🟢 Ready	Preview, Logs	Feb 03, 2026, 12:58:07 AM

[Copilot]

Pull request overview

Copilot reviewed 8 out of 8 changed files in this pull request and generated 5 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 9 out of 9 changed files in this pull request and generated 3 comments.

Comments suppressed due to low confidence (1)

.github/workflows/release.yml:93

• The http.https://github.com/.extraheader value is not actually set the same way as actions/checkout. For git HTTPS auth, GitHub expects a Basic auth header (as used by actions/checkout), not AUTHORIZATION: token ...; this will likely cause git push to fail. Update the extraheader to use the checkout-style Basic header (e.g., base64-encoded x-access-token:<token>), or alternatively avoid reconfiguring auth and let checkout manage it (while still preventing persisted credentials).

            git add --all
            git commit -m "chore(release): version bump [skip ci]" -m "Packages: $CHANGED_PACKAGES"
            git push
          else
            echo "No changes to commit"
          fi

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[CalinaCristian]

Current Stack

• main

Managed with stacked-prs