docs: add CI + CodeQL status badges to README#22
Merged
Conversation
The README already shows the OpenSSF Scorecard badge; add the CI (ci.yml) and CodeQL (codeql.yml) workflow status badges next to it so the build + static analysis health is visible at a glance alongside the supply-chain score.
sprayberry-reviewer
approved these changes
Jul 12, 2026
sprayberry-reviewer
left a comment
Collaborator
There was a problem hiding this comment.
Automated review from the Sprayberry Labs fleet code reviewer — this review was submitted by the fleet's dedicated reviewer bot and counts as the repository's required automated approval.
Verdict: clean — no blocking findings. Approving.
What I checked
- Diff surface:
README.mdonly — 2 lines added, 0 deleted. Docs-only change; no source code, no workflow logic, no test surface affected. - Workflow existence: Confirmed both
ci.ymlandcodeql.ymlexist as registered GitHub Actions workflows in this repository (gh api repos/askalf/agent-security-stack/actions/workflows). - Badge URL structure: Both badge URLs follow the canonical GitHub Actions badge pattern:
The owner (
https://github.com/<owner>/<repo>/actions/workflows/<file>.badge.svgaskalf), repo (agent-security-stack), and filenames (ci.yml,codeql.yml) all match. - Link targets: The clickable badge links correctly point to the workflow run pages for the same
ci.ymlandcodeql.ymlfiles — consistent with the badge source. - Placement: Inserted above the existing OpenSSF Scorecard badge — logical grouping of CI/security health indicators.
- No security or logic concerns exist in a pure README badge addition.
Findings
None. Every element of this change is structurally correct and verifiable against the repository's actual workflow files.
What's good
Consistent badge style with the existing OpenSSF Scorecard entry. Adding CI and static-analysis status at a glance is a good practice for a security-focused repository.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds CI (
ci.yml) and CodeQL (codeql.yml) workflow status badges next to the existing OpenSSF Scorecard badge, so build + static-analysis health shows at a glance. Docs-only, no code change.(Also serves as the live end-to-end test of the fleet reviewer's new approve-when-clean mode on this repo.)