Skip to content

ci: add gate job to CodeQL workflow for text-only PRs#6346

Merged
brtnfld merged 2 commits intoHDFGroup:developfrom
brtnfld:codeqltxt
Apr 4, 2026
Merged

ci: add gate job to CodeQL workflow for text-only PRs#6346
brtnfld merged 2 commits intoHDFGroup:developfrom
brtnfld:codeqltxt

Conversation

@brtnfld
Copy link
Copy Markdown
Collaborator

@brtnfld brtnfld commented Apr 3, 2026

Summary

PRs that contain only text changes (e.g., markdown, documentation) are blocked from merging because the CodeQL required status check never reports a result when the workflow is skipped via paths-ignore.

This PR fixes the issue by:

  • Removing paths-ignore from the workflow-level trigger so the workflow always runs
  • Adding a check-changes job using dorny/paths-filter to detect whether C/C++/CMake files were modified
  • Conditioning the analyze job on actual code changes (or schedule/manual dispatch)
  • Adding a codeql-complete gate job that always runs and reports success when analysis was legitimately skipped

How it works

PR type check-changes analyze codeql-complete
Code changes runs runs passes if analyze succeeds
Text-only changes runs skipped passes (skipped is OK)
check-changes failure fails skipped fails (not silently ignored)

Required follow-up

After merging, update the branch protection rules for develop to use CodeQL / codeql-complete as the required status check instead of CodeQL / Analyze.

brtnfld added 2 commits April 3, 2026 10:46
@brtnfld
ci: add gate job to CodeQL workflow for text-only PRs
ad76adb 
Remove paths-ignore from the workflow trigger and add a check-changes
job with dorny/paths-filter to detect code changes at the job level.
This ensures the workflow always triggers so the codeql-complete gate
job can report a passing status when analyze is skipped, preventing
text-only PRs from being blocked by required status checks.
@brtnfld
ci: check both check-changes and analyze results in gate job
c3222ca 
Add check-changes to the needs array of codeql-complete so that a
failure in the change-detection job is not silently treated as a
skipped analysis.
@github-project-automation github-project-automation bot moved this to To be triaged in HDF5 - TRIAGE & TRACK Apr 3, 2026
@brtnfld brtnfld moved this from To be triaged to In progress in HDF5 - TRIAGE & TRACK Apr 3, 2026
@brtnfld brtnfld merged commit a8e1719 into HDFGroup:develop Apr 4, 2026
124 checks passed
@github-project-automation github-project-automation bot moved this from In progress to Done in HDF5 - TRIAGE & TRACK Apr 4, 2026
@brtnfld brtnfld mentioned this pull request Apr 4, 2026
Merged
2 tasks
brtnfld added a commit that referenced this pull request Apr 4, 2026
@brtnfld
ci: add gate job to CodeQL workflow for text-only PRs (#6346)
4137ec6 
* ci: add gate job to CodeQL workflow for text-only PRs

Remove paths-ignore from the workflow trigger and add a check-changes
job with dorny/paths-filter to detect code changes at the job level.
This ensures the workflow always triggers so the codeql-complete gate
job can report a passing status when analyze is skipped, preventing
text-only PRs from being blocked by required status checks.

* ci: check both check-changes and analyze results in gate job

Add check-changes to the needs array of codeql-complete so that a
failure in the change-detection job is not silently treated as a
skipped analysis.
brtnfld added a commit to brtnfld/hdf5 that referenced this pull request Apr 17, 2026
@brtnfld
ci: add gate job to CodeQL workflow for text-only PRs (HDFGroup#6346)
9642143 
* ci: add gate job to CodeQL workflow for text-only PRs

Remove paths-ignore from the workflow trigger and add a check-changes
job with dorny/paths-filter to detect code changes at the job level.
This ensures the workflow always triggers so the codeql-complete gate
job can report a passing status when analyze is skipped, preventing
text-only PRs from being blocked by required status checks.

* ci: check both check-changes and analyze results in gate job

Add check-changes to the needs array of codeql-complete so that a
failure in the change-detection job is not silently treated as a
skipped analysis.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lrknox lrknox lrknox approved these changes

@jhendersonHDF jhendersonHDF jhendersonHDF approved these changes

@derobins derobins Awaiting requested review from derobins derobins is a code owner

@fortnern fortnern Awaiting requested review from fortnern fortnern is a code owner

@qkoziol qkoziol Awaiting requested review from qkoziol qkoziol is a code owner

@vchoi-hdfgroup vchoi-hdfgroup Awaiting requested review from vchoi-hdfgroup vchoi-hdfgroup is a code owner

@bmribler bmribler Awaiting requested review from bmribler bmribler is a code owner

@glennsong09 glennsong09 Awaiting requested review from glennsong09 glennsong09 is a code owner

@mattjala mattjala Awaiting requested review from mattjala mattjala is a code owner

Assignees

@lrknox lrknox

@jhendersonHDF jhendersonHDF

Labels

None yet

Projects

HDF5 - TRIAGE & TRACK
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@brtnfld @lrknox @jhendersonHDF