fix(go-check): skip gosec SARIF upload on merge_group events#116
Merged
Conversation
The codeql-action/upload-sarif step fails 100% of the time on merge_group runs because GitHub deletes the gh-readonly-queue ref the moment the merge completes. By the time upload-sarif tries to attach results to that ref, it is gone: ##[error]ref 'refs/heads/gh-readonly-queue/main/pr-NNN-...' not found in this repository This produces a guaranteed failure on every successful merge, which silently bypasses CI gating wherever branch protection treats merge_group results as non-required. Push and pull_request events run the same scan against a stable ref, so security coverage is not lost; only the redundant merge_group upload is skipped. Mirrors the existing exclusion in gitleaks.yml. Signed-off-by: Sebastian Mendel <info@sebastianmendel.de>
|
Note Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported. |
|
There was a problem hiding this comment.
Pull request overview
This PR prevents the reusable Go check workflow’s gosec job from failing on merge_group runs by skipping the SARIF upload step when the triggering event is merge_group, avoiding a race where the ephemeral gh-readonly-queue/... ref is deleted before upload-sarif can attach results.
Changes:
- Add an explanatory comment documenting the
merge_groupref deletion race withcodeql-action/upload-sarif. - Gate the “Upload gosec SARIF” step to run only when
github.event_name != 'merge_group'while preserving uploads forpushandpull_requestevents.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
3 tasks
CybotTM
added a commit
that referenced
this pull request
May 10, 2026
## Summary Completes the same fix as #116 (gosec) for the three remaining reusable workflows that upload SARIF without a merge_group guard: \`build-container.yml\`, \`release-go-app.yml\`, \`scorecard.yml\`. The job-level guard already exists in \`gitleaks.yml\`. When a workflow with a SARIF upload step is triggered by \`merge_group\`, \`codeql-action/upload-sarif\` fails 100% of the time because GitHub deletes the \`gh-readonly-queue/<branch>/pr-NNN-<sha>\` ref the moment the merge completes: \`\`\` ##[error]ref 'refs/heads/gh-readonly-queue/...' not found in this repository \`\`\` Push, schedule, and release events run with stable refs, so security coverage is unchanged — only the impossible merge_group upload is skipped. ## Audit context 5 reusable workflows in this repo upload SARIF (\`grep -l upload-sarif .github/workflows/\`): | Workflow | Status | |---|---| | \`gitleaks.yml\` | Already had job-level merge_group guard ✓ | | \`go-check.yml\` (gosec step) | Fixed in #116 ✓ | | \`build-container.yml\` | **Fixed here** | | \`release-go-app.yml\` | **Fixed here** | | \`scorecard.yml\` | **Fixed here** | ## Test plan - [ ] Verify scorecard SARIF still uploads on push/schedule events (Security tab → Code scanning → scorecard) - [ ] Verify trivy SARIF still uploads on release events (release-go-app.yml, build-container.yml) - [ ] No callers regress on merge_group runs
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The
codeql-action/upload-sarifstep in the gosec job fails on every merge_group run because GitHub deletes thegh-readonly-queue/<branch>/pr-NNN-<sha>ref the moment the merge completes. By the time upload-sarif tries to attach results to that ref, it's gone:This produces a guaranteed failure on every successful merge, which silently bypasses CI gating wherever branch protection treats merge_group results as non-required (e.g. netresearch/ofelia, where it allowed broken commits to land on main).
The push and pull_request events run the same scan against stable refs, so security coverage is not lost — only the redundant (and impossible) merge_group upload is skipped. Mirrors the existing job-level exclusion in
gitleaks.yml.Observed failures across recent merge_group runs in netresearch/ofelia:
Test plan
Upload gosec SARIF