Skip to content

ci(codeql): run on push→main + weekly only, not on PRs#139

Closed
bastien-gallay wants to merge 1 commit into
mainfrom
ci/codeql-off-pr-path
Closed

ci(codeql): run on push→main + weekly only, not on PRs#139
bastien-gallay wants to merge 1 commit into
mainfrom
ci/codeql-off-pr-path

Conversation

@bastien-gallay

Copy link
Copy Markdown
Collaborator

Why

CodeQL is the slowest thing in CI. Its Rust extractor must trace a real
cargo build — there's no build-mode: none for Rust — so every run is a
multi-minute cold compile of the iced-heavy app crate, and
Swatinem/rust-cache barely helps because a traced build can't reuse a
prebuilt target/. Running it on every PR put that compile on the critical
path for coverage the post-merge run already provides.

What

  • Drop the pull_request trigger from codeql.yml; keep push→main, weekly
    cron, and workflow_dispatch.
  • concurrency.cancel-in-progressfalse (no PR runs left to cancel; never
    cancel a baseline scan).
  • SAST now lands on the merge-to-main run (plus weekly) — a regression
    surfaces within minutes of merge instead of blocking the PR.
  • Analyze (Rust) is therefore not a required check; branch protection
    requires only ci-success.
  • docs/CI.md synced (§1 table, §2 stages, §3 rationale).

Leak defense is unaffected

CodeQL never detected secrets. Credential leaks are caught by GitHub
secret scanning + push protection, which I verified is enabled on this
repo — independent of this change.

🤖 Generated with Claude Code

CodeQL's Rust extractor must trace a full cargo build (no build-mode: none for
Rust), so every run is a multi-minute cold compile of the iced-heavy app crate
— and rust-cache barely helps a traced build. Running it on every PR put that
compile on the critical path for no coverage a post-merge run doesn't give.

Drop the pull_request trigger: SAST now lands on the merge-to-main run (plus
the weekly baseline), catching regressions within minutes of merge instead of
blocking the PR. Analyze (Rust) is therefore not a required check.

Leak defense is unaffected — CodeQL never scanned for secrets; that is GitHub
secret scanning + push protection (enabled). Sync docs/CI.md.
@bastien-gallay

Copy link
Copy Markdown
Collaborator Author

Duplicate of #138 (same codeql.yml + docs/CI.md change). Consolidating on #138; closing this one.

@bastien-gallay bastien-gallay deleted the ci/codeql-off-pr-path branch July 5, 2026 09:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant