Skip to content

Do Not Run CodeQL Workflow on push Events for Dependabot Pull Request Branches #72

New issue
New issue
Closed
#73
Closed
Do Not Run CodeQL Workflow on push Events for Dependabot Pull Request Branches#72
#73
Assignees
mcdonnnj
Labels
bugThis issue or pull request addresses broken functionalityimprovementThis issue or pull request will add or improve functionality, maintainability, or ease of use
@mcdonnnj

Description

@mcdonnnj
mcdonnnj
opened on Apr 7, 2021

💡 Summary

Skip the CodeQL workflow on push events for PR branches generated by Dependabot.

Motivation and context

In cisagov/con-pca-api#224 there was the following error in the CodeQL / Analyze (python) (push) GitHub Action run:

Error: Workflows triggered by Dependabot on the "push" event run with read-only access. Uploading Code Scanning results requires write access. To use Code Scanning with Dependabot, please ensure you are using the "pull_request" event for this workflow and avoid triggering on the "push" event for Dependabot branches. See https://docs.github.com/en/code-security/secure-coding/configuring-code-scanning#scanning-on-push for more information on how to configure these events.

Link

Implementation notes

I added a commit to skip the workflow if the branch matches the pattern dependabot/** in cisagov/con-pca-api@0d726be and observed that the workflow was skipped on a push event.

Acceptance criteria

  • CodeQL workflow does not run on push events for Dependabot PR branches.
  • CodeQL workflow runs for push events on all other branches.

Metadata

Metadata

Assignees

Labels

bugThis issue or pull request addresses broken functionalityimprovementThis issue or pull request will add or improve functionality, maintainability, or ease of use

Type

No type

Projects

Skeleton Maintenance

Status

Done

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions