Does not run on Dependabot PRs

[Sammcb]

Hi! I recently started using CodeQL for checking my GitHub Actions via the Default Setup. I also use Dependabot for version management. I noticed on my Dependabot PRs that I was seeing the CodeQL jobs fail with the following error:

This was not occurring on PRs I made myself. After searching, I found this community discussion which explains that the default setup will not run jobs on Dependabot PRs.

I would appreciate having the ability to configure the default setup to run these jobs on Dependabot PRs, as this makes it difficult to require the job in a branch ruleset. At the very least, I would love better documentation of this limitation and a change in the error message to make it clearer what the issue is.

Thanks so much!

[marcogario]

👋 Thanks for the feedback.

I would appreciate having the ability to configure the default setup to run these jobs on Dependabot PRs, as this makes it difficult to require the job in a branch ruleset.

This is something we are not currently looking to support. The Dependabot PR is different from other code changes because it potentially introduces new external code that has not been vetted yet by the repo owner, thus creating a potential security risk.

as this makes it difficult to require the job in a branch ruleset.

Can you require the Code Scanning check rather than the CodeQL one? We mark the workflow intentionally as neutral as to not be blocking. Wondering if that is enough for your purpose.

At the very least, I would love better documentation of this limitation and a change in the error message to make it clearer what the issue is.

Fair point. I'll review our docs, because that should indeed be spelled out a bit more clearly. Regarding the specific error in the check suite, this is a generic message from code scanning that might occur in other contexts, but I will check with the team whether we can override it in this specific case, as it would be indeed useful.

[Sammcb]

Got it, yeah I think I can just mark the Code Scanning check for now. Thanks for planning to look over the docs/error message!