## Lerian Studio GitHub Workflows: CodeQL Security Scan & Pre-Release Dependency Gate Added Lerian Studio has significantly hardened its open-source security posture by embedding two new automated defenses directly into its GitHub Actions shared workflows. The update transforms the standard `pr-security-scan` into a more robust gatekeeper, introducing parallel CodeQL static analysis and a mandatory check that blocks pre-release dependencies from entering the codebase. This move signals a proactive shift toward stricter, automated supply chain security for the organization and any projects that adopt its workflows. The first new capability is an opt-in CodeQL analysis job. When enabled via `enable_codeql`, it runs in parallel with existing scans, scoping its analysis to changed files for efficiency. It performs a full init-autobuild-analyze cycle, with results posted directly to the pull request as a comment and uploaded to GitHub's Security tab for centralized tracking. The second, more aggressive feature is a pre-release version gate, enabled by default. A new `prerelease-check` composite action automatically scans `go.mod`, `package.json`, and `Dockerfile` for version pins containing `-beta` or `-rc` suffixes. Any finding is reported via GitHub annotations, and critically, the entire workflow is configured to fail, blocking the merge. This update creates a tangible pressure point for developers, enforcing a policy against unstable dependencies at the CI/CD level. For organizations using Lerian Studio's shared workflows, it represents an immediate elevation of security standards, shifting left the responsibility for code quality and dependency hygiene. The default failure mode for pre-release checks indicates a low tolerance for risk, potentially catching subtle supply chain vulnerabilities before they are introduced. This pattern reflects a broader industry trend of baking security directly into developer workflows, making it a compliance requirement rather than an optional audit. --- - **Source**: GitHub Issues - **Sector**: The Lab - **Tags**: GitHub Actions, CodeQL, Supply Chain Security, DevSecOps, Static Analysis - **Credibility**: unverified - **Published**: 2026-04-14 14:22:56 - **ID**: 63921 - **URL**: https://whisperx.ai/en/intel/63921