ci: gate CodeQL analysis at the job level for docs-only PRs by rusackas · Pull Request #40724 · apache/superset

rusackas · 2026-06-03T16:52:19Z

SUMMARY

CodeQL gated only its final Perform CodeQL Analysis step on the
change-detector. On a docs-only PR that meant both language runners
(python, javascript) still spun up, checked out, ran the detector, and ran
Initialize CodeQL before skipping the actual analysis.

This moves the gate to the job level using the shared lead-changes-job
pattern (same as #40718 / #40723), so the analysis runners don't start at all
when no code changed:

  analyze:
    needs: changes
    if: needs.changes.outputs.python == 'true' || needs.changes.outputs.frontend == 'true'

Why job-level skip instead of paths-ignore: a skipped required check is
treated as passing by branch protection, whereas a paths-ignored workflow
never reports its check at all — which would deadlock merges if CodeQL is a
required check. push and scheduled (nightly) runs are unaffected: the detector
returns "all changed" for non-PR events, so full security coverage is preserved.

TESTING INSTRUCTIONS

Code PR: confirm Analyze (python) / Analyze (javascript) run as before.
Docs-only PR: confirm both are skipped (no CodeQL runners spin up).
Confirm the nightly schedule and push-to-master still run the full analysis.

ADDITIONAL INFORMATION

🤖 Generated with Claude Code

CodeQL gated only its final analyze step on the change-detector, so on a docs-only PR both language runners (python, javascript) still spun up, checked out, ran the detector, and initialized CodeQL before skipping the analysis. Move the gate to the job level via the shared `changes` job so those runners don't start at all when no code changed. A job-level skip is deliberately used instead of a `paths-ignore` filter: a skipped required check is treated as passing by branch protection, whereas a path-filtered workflow never reports its check and would block merges if CodeQL is required. push and scheduled runs are unaffected (the detector returns "all changed" for non-PR events). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

bito-code-review · 2026-06-03T16:52:30Z

Bito Automatic Review Skipped - Files Excluded

Bito didn't auto-review this change because all changed files are in the exclusion list for automatic reviews. No action is needed if you didn't intend for the agent to review it. Otherwise, to manually trigger a review, type /review in a comment and save.
You can change the excluded files settings here, or contact your Bito workspace admin at evan@preset.io.

bito-code-review · 2026-06-03T16:56:27Z

The action actions/checkout in .github/workflows/codeql-analysis.yml is pinned to a commit hash (de0fac2e4500dabe0009e67214ff5f5447ce83dd), but it lacks a comment specifying the corresponding version tag (e.g., v4.2.2). To improve maintainability and security, it is recommended to add a comment indicating the version associated with that commit hash.

.github/workflows/codeql-analysis.yml

- name: Checkout
  uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4.2.2
  with:
    persist-credentials: false

zizmor (code scanning) flagged a mismatched hash-pin comment: the pinned SHA de0fac2e... is checkout v6.0.2, but the comment said "# v6" — and the moving v6 tag has since advanced to v6.0.3, so the comment no longer matched the pin. Update both checkout comments in this workflow to the accurate "# v6.0.2". No behavior change (same SHA). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

rusackas requested review from betodealmeida, craig-rueda, dpgaspar, eschutho, geido, hainenber, kgabryje, mistercrunch, nytai, sadpandajoe and villebro as code owners June 3, 2026 16:52

pull-request-size Bot added the size/M label Jun 3, 2026

dosubot Bot added the github_actions Pull requests that update GitHub Actions code label Jun 3, 2026

github-advanced-security AI found potential problems Jun 3, 2026

View reviewed changes

Comment thread .github/workflows/codeql-analysis.yml Fixed

sadpandajoe approved these changes Jun 3, 2026

View reviewed changes

rusackas added the merge-if-green If approved and tests are green, please go ahead and merge it for me label Jun 3, 2026

Humbedooh merged commit 5ba60d5 into master Jun 3, 2026
51 checks passed

Humbedooh deleted the ci/codeql-job-level-gating branch June 3, 2026 21:50

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

ci: gate CodeQL analysis at the job level for docs-only PRs#40724

ci: gate CodeQL analysis at the job level for docs-only PRs#40724
Humbedooh merged 2 commits into
masterfrom
ci/codeql-job-level-gating

rusackas commented Jun 3, 2026

Uh oh!

bito-code-review Bot commented Jun 3, 2026 •

edited

Loading

Uh oh!

Uh oh!

bito-code-review Bot commented Jun 3, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants

Conversation

rusackas commented Jun 3, 2026

SUMMARY

TESTING INSTRUCTIONS

ADDITIONAL INFORMATION

Uh oh!

bito-code-review Bot commented Jun 3, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Uh oh!

bito-code-review Bot commented Jun 3, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants

bito-code-review Bot commented Jun 3, 2026 •

edited

Loading