Unable to apply CodeQL to any branch that is not the default branch

[benhorgen]

When using the script, I wasn't able to apply the CodeQL setting to branches that are not the default branch for their repo.

For example, if I specify develop in the .yaml file it will be applied to repos with a default branch of develop but will also apply the CodeQL setting to the default branch of the other repos listed in the repos.json file.

In addition, it will not apply to the develop branch of that repo if the default branch is not develop.

Sample from codeql-analysis-javascript.yaml file:

on:
  push:
    branches: [develop]
  pull_request:
    # The branches below must be a subset of the branches above
    branches: [develop]
  schedule:
    - cron: "34 14 * * 0"

With the config above in my codeql-analysis-javascript.yaml and with two repos listed in the repos.json file the result is: Both repos will get CodeQL enabled. But only against their default branches, regardless of the default branch name.

[benhorgen]

Hi @NickLiffen. I didn't have assigning privileges, but thought I'd tag you in the comments.

Regarding the questions in the readme:

• Windows, Linux, Codespaces or Mac
  Mac (VS Code)
• What version of NodeJS you are running.
  node v16.17.0
• Add any logs that appeared when you ran into the issue.
  There is a lot of console writelines about PRs being created and on what branches, but nothing stands out as an error. How do I get the logs to Error or warning/error?

[NickLiffen]

Hey @benhorgen 👋

Firstly, it was LOVELY to see you last week at universe 〽️ 🥳

Secondly, sorry for the late reply here; this week has been focused on getting caught up with life and making sure everything is running as normal 👍 I hope you don't mind this slightly delayed response.

Okay, so you are correct in that behaviour, and that's actually by default as well.

We don't read the branches: [*, *] array within your workflow file. We will only raise a pull request into the default branch irrelevant of what you put in that array of strings. Why do we do this? Well, it's actually for a few reasons. Firstly, for security overview, or anything else within GitHub, to think that code scanning is "turned on", it needs an analysis upload only into the default branch. So for GitHub to look at this repo and think, "is this turned on?" it only needs an analysis uploaded to the default branch, nothing else. Secondly, human error. :D This one is where the user enters the name of a branch, that isn't a branch. Maybe they mis-spelt something? Or maybe they don't really know what goes in the branches: [*, *] array.

If you would like to do what you are talking about, my advice is to do a git pull and then a git merge where you merge the changes from the default branch into whatever sub-branches you have 👍 Hopefully that makes sense and somewhat explains why it works in this way 👍

[benhorgen]

Thanks for the insights @NickLiffen, sorry I didn't close the issue after reading your response. I was hoping to try it out before replying by then got delayed.

Your insights make sense, but based on your response, I'm curious if using the branches value is necessary or if it can be ignored then? Or should I specify a few branches, like our test and our main branches? Based on your response above I get the feeling code scanning occurs on every branch (and PR) once the codeql-analysis.yml file is committed to the default branch (and the code scanning flag is toggled in the GitHub settings menu for that repo).