Ignoring folder doesn't seem to work for Go

[ItalyPaleAle]

My project contains Go and JavaScript code, including one package, in a sub-folder, that is for building WebAssembly code. Because of that, it has to be built with special Go flags or it won't work.

When using the github/codeql-action/analyze@v1 action, by default it compiles all Go packages (with a command similar to go build ./...). This causes my CodeQL scan to fail because it tries to build the wasm package too, which can only be compiled with the correct Go flags.

Following the documentation, I created a CodeQL config file with this content:

paths-ignore:
  - wasm/

However, the CodeQL action was still trying to build my package in the wasm folder.

See: https://github.com/ItalyPaleAle/prvt/runs/1505493791?check_suite_focus=true

(My workaround was to modify the action definition and simply run a rm -rf wasm before starting the CodeQL scan)

[sauyon]

If you read the small and somewhat easy to miss notes here, you'll see:

...the workflow runs the actions and scans all of the files changed in the pull request, including those matched by on:pull_request:paths-ignore or on:pull_request:paths, unless the files have been excluded. For information on how to exclude files from analysis, see "Specifying directories to scan."

This project seems like a prime candidate to test out our build tracing experimental feature, though. If you'd like you should be able to set CODEQL_EXTRACTOR_GO_BUILD_TRACING=on in the environment (env: key, I believe), and we should detect and use your Makefile to build the project.

[sauyon]

Ah, nevermind, I misread our own documentation: the relevant gotcha is the top of this which says that it supports only Python and JS.

[ItalyPaleAle]

You're right, I should have just read the docs more carefully 👍

Anyways, my "workaround" works, so hopefully this issue can help other people :)

[ckreibich]

Anyways, my "workaround" works, so hopefully this issue can help other people :)

Heck yeah, thank you! Is this in fact what the docs are trying to tell us for compiled languages? It's so confusing — this says:

For compiled languages, if you want to limit code scanning to specific directories in your project, you must specify appropriate build steps in the workflow. The commands you need to use to exclude a directory from the build will depend on your build system.

How about an example? The referenced page says nothing about excluding files/folders.

[smowton]

@ckreibich what it's trying to say is that you should specify build steps that only build the code you want to extract. For example, in a C project if I had module1/ and /module2 then maybe I would replace the autobuild step with make -C module1 if I was only interested in that one. For each language and build system the way to phrase "only build this bit" will differ, but almost always you'll be giving one or more commands that say "do build this bit I'm interested in" rather than "exclude this bit". The exception is the OP's solution of just deleting some Go and then letting the autobuilder do its usual thing, which works in this case but isn't going to be the go-to solution most of the time.

Regarding the documentation, could you suggest language that would make this clearer?