ci(codeql): run on push→main + weekly only, not on PRs#138
Merged
Conversation
CodeQL's Rust extractor traces a full cargo build (the iced-heavy `app` crate is a cold compile the rust-cache can't shortcut, since CodeQL must observe compilation), so a run is minutes long. Running it per-PR put that on every PR's critical path for no coverage the push→main run — firing seconds after merge — doesn't already provide. Drop the pull_request trigger; keep the default-branch and weekly runs as the security baseline. Consequence: `Analyze (Rust)` must NOT be a required status check (it no longer reports on a PR), so `main` protection pins only `ci-success`. Docs updated.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
CodeQL's Rust extractor traces a full
cargo build— theiced-heavyappcrate is a cold compile, andSwatinem/rust-cachecan't shortcut itbecause CodeQL must observe compilation to extract facts. So every run is
minutes long, and running it per-PR put that on each PR's critical path for
no coverage the
push→mainrun (firing seconds after merge) doesn'talready give.
What
pull_requesttrigger fromcodeql.yml; keeppush→main+ weeklycron +
workflow_dispatch. The default-branch + weekly runs remain thesecurity baseline.
concurrencyblock (no PR runs left to cancel).docs/CI.mdupdated: SAST row →push→main, weekly/ "baseline", §2 and §3reworded.
Branch-protection consequence
Analyze (Rust)now never reports on a PR, so it must not be a requiredstatus check (a required check that never runs wedges the PR at "Expected").
mainprotection should pin onlyci-success. This matches the guidancealready in
docs/CI.md.Not in scope (separate follow-ups)
repo — that, not CodeQL, is the actual leak defense. Worth enabling in
Settings → Code security (or via
gh api).security-and-quality→security-extended.🤖 Generated with Claude Code