CodeQL: switch to advanced setup with path filters#26
Merged
Conversation
…lters GitHub's hosted "default setup" doesn't support path filtering, so Analyze (actions) and Analyze (javascript-typescript) ran on every PR even for docs-only changes. Both are required status checks, so a naive paths-ignore on the trigger would leave them stuck pending forever on such PRs - instead each matrix job always runs, but skips the actual CodeQL init/scan when the diff doesn't touch that language's relevant paths (workflow files for "actions", build- affecting source/config for "javascript-typescript"). Job names are unchanged so the branch ruleset's required checks still match without needing an update. Disabled the default setup via the API so this workflow is the sole source of CodeQL analysis going forward.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Analyze (actions)andAnalyze (javascript-typescript)ran on every PR regardless of what changed (e.g. a README-only PR still triggered both).paths-ignorewould leave them permanently pending on PRs that never trigger the workflow. Instead, switched to a committed "advanced setup" workflow (.github/workflows/codeql.yml) where each matrix job always runs (so the required check always reports) but skips the actualinit/analyzesteps when the diff doesn't touch that language's relevant paths:Analyze (actions)skips unless.github/workflows/**changedAnalyze (javascript-typescript)skips unless the build-affecting paths changed (same list used in ci.yml / Cloudflare's watch paths)Analyze (actions),Analyze (javascript-typescript)) are unchanged, so themain-protectionruleset's required status checks still match - no ruleset update needed.Test plan
.github/workflows/codeql.yml, which isn't in either matrix's path list, so bothAnalyze (*)checks should complete quickly with the scan step skipped - confirm in the Actions log.Analyze (actions).src/**should still runAnalyze (javascript-typescript).