Skip to content

ci(codeql): run on push→main + weekly only, not on PRs#138

Merged
bastien-gallay merged 1 commit into
mainfrom
ci/codeql-main-only
Jul 5, 2026
Merged

ci(codeql): run on push→main + weekly only, not on PRs#138
bastien-gallay merged 1 commit into
mainfrom
ci/codeql-main-only

Conversation

@bastien-gallay

Copy link
Copy Markdown
Collaborator

Why

CodeQL's Rust extractor traces a full cargo build — the iced-heavy
app crate is a cold compile, and Swatinem/rust-cache can't shortcut it
because CodeQL must observe compilation to extract facts. So every run is
minutes long, and running it per-PR put that on each PR's critical path for
no coverage the push→main run (firing seconds after merge) doesn't
already give.

What

  • Drop the pull_request trigger from codeql.yml; keep push→main + weekly
    cron + workflow_dispatch. The default-branch + weekly runs remain the
    security baseline.
  • Simplify the concurrency block (no PR runs left to cancel).
  • docs/CI.md updated: SAST row → push→main, weekly / "baseline", §2 and §3
    reworded.

Branch-protection consequence

Analyze (Rust) now never reports on a PR, so it must not be a required
status check (a required check that never runs wedges the PR at "Expected").
main protection should pin only ci-success. This matches the guidance
already in docs/CI.md.

Not in scope (separate follow-ups)

  • Secret scanning + push protection are currently disabled on this public
    repo — that, not CodeQL, is the actual leak defense. Worth enabling in
    Settings → Code security (or via gh api).
  • Optional further trim: security-and-qualitysecurity-extended.

🤖 Generated with Claude Code

CodeQL's Rust extractor traces a full cargo build (the iced-heavy `app` crate
is a cold compile the rust-cache can't shortcut, since CodeQL must observe
compilation), so a run is minutes long. Running it per-PR put that on every
PR's critical path for no coverage the push→main run — firing seconds after
merge — doesn't already provide. Drop the pull_request trigger; keep the
default-branch and weekly runs as the security baseline.

Consequence: `Analyze (Rust)` must NOT be a required status check (it no longer
reports on a PR), so `main` protection pins only `ci-success`. Docs updated.
@bastien-gallay bastien-gallay merged commit 05ac5c6 into main Jul 5, 2026
16 checks passed
@bastien-gallay bastien-gallay deleted the ci/codeql-main-only branch July 5, 2026 09:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant