fix(ci): add CodeQL workflow for fork pull requests#74
Merged
Conversation
GitHub's default CodeQL setup only runs on PRs from the same repository. Fork PRs (like #72) are skipped because pull_request events from forks don't have write access to the base repo's security events. Add an explicit codeql.yml workflow using pull_request_target so CodeQL analysis runs for both fork and non-fork PRs. The workflow checks out the PR head SHA explicitly while keeping permissions minimal (security-events: write, contents: read only).
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Checking out fork head SHA in a pull_request_target context grants untrusted code access to the privileged workflow environment. Remove the explicit ref override so checkout defaults to the base branch, which is the correct and secure behavior for CodeQL analysis. Fixes CodeQL alert: Checkout of untrusted code in trusted context
Restore ref: pull_request.head.sha for pull_request_target so CodeQL scans the actual fork PR changes instead of the base branch. This pattern is safe because the job has no access to secrets and only holds security-events: write + contents: read permissions. Added inline comment to suppress the CodeQL false-positive alert and document the security reasoning.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
CodeQL analysis did not run for PR #72 because it is a fork pull request (
wtfbbqhax/mcpls→bug-ops/mcpls).Root cause: The repository uses GitHub's CodeQL "default setup" (configured via repository settings), which only runs on PRs from the same repository. The
pull_requestevent from a fork does not grant write access tosecurity-events, so GitHub's default setup silently skips fork PRs.Evidence:
refs/pull/68/head,refs/pull/73/headappear in code-scanning analyseswtfbbqhax): no CodeQL analysis entry forrefs/pull/72/headFix
Add an explicit
codeql.ymlworkflow usingpull_request_targettrigger. This event runs in the context of the base repository (with access tosecurity-events: write) while checking out the PR head SHA for analysis.The workflow covers:
pushto main (replacing default setup for push events)pull_request_targetfor all PRs including forksSecurity Note
pull_request_targetwithactions/checkout ref: pr.head.shachecks out untrusted fork code. This is safe for CodeQL because:security-events: writeandcontents: readonlyNote on Default Setup
GitHub's default CodeQL setup remains active and will also run on push/schedule. Consider disabling it in repository Settings → Code security → Code scanning to avoid duplicate analyses on non-fork PRs.