Skip to content

CodeQL: switch to advanced setup with path filters#26

Merged
dubsector merged 1 commit into
mainfrom
ci/codeql-skip-docs-only
Jul 4, 2026
Merged

CodeQL: switch to advanced setup with path filters#26
dubsector merged 1 commit into
mainfrom
ci/codeql-skip-docs-only

Conversation

@dubsector

Copy link
Copy Markdown
Owner

Summary

  • GitHub's hosted CodeQL "default setup" has no path-filtering option, so Analyze (actions) and Analyze (javascript-typescript) ran on every PR regardless of what changed (e.g. a README-only PR still triggered both).
  • Both are required status checks, so a naive paths-ignore would leave them permanently pending on PRs that never trigger the workflow. Instead, switched to a committed "advanced setup" workflow (.github/workflows/codeql.yml) where each matrix job always runs (so the required check always reports) but skips the actual init/analyze steps when the diff doesn't touch that language's relevant paths:
    • Analyze (actions) skips unless .github/workflows/** changed
    • Analyze (javascript-typescript) skips unless the build-affecting paths changed (same list used in ci.yml / Cloudflare's watch paths)
  • Job names (Analyze (actions), Analyze (javascript-typescript)) are unchanged, so the main-protection ruleset's required status checks still match - no ruleset update needed.
  • Disabled the repo's CodeQL default setup via the API so this workflow is the only source of analysis (avoids duplicate/conflicting scans).

Test plan

  • This PR only touches .github/workflows/codeql.yml, which isn't in either matrix's path list, so both Analyze (*) checks should complete quickly with the scan step skipped - confirm in the Actions log.
  • A future README-only PR should show both Analyze jobs skip the scan.
  • A future PR touching a workflow file should still run Analyze (actions).
  • A future PR touching src/** should still run Analyze (javascript-typescript).

…lters

GitHub's hosted "default setup" doesn't support path filtering, so
Analyze (actions) and Analyze (javascript-typescript) ran on every PR
even for docs-only changes. Both are required status checks, so a
naive paths-ignore on the trigger would leave them stuck pending
forever on such PRs - instead each matrix job always runs, but skips
the actual CodeQL init/scan when the diff doesn't touch that
language's relevant paths (workflow files for "actions", build-
affecting source/config for "javascript-typescript"). Job names are
unchanged so the branch ruleset's required checks still match without
needing an update. Disabled the default setup via the API so this
workflow is the sole source of CodeQL analysis going forward.
@dubsector dubsector merged commit e9e7e59 into main Jul 4, 2026
4 checks passed
@dubsector dubsector deleted the ci/codeql-skip-docs-only branch July 4, 2026 03:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant