Unable to validate code scanning workflow: error: getWorkflow() failed

[parsley72]

When I run my build it includes this step:

# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
  uses: github/codeql-action/init@v3
  with:
    languages: ${{ matrix.language }}
    source-root: source/my-app
    queries: security-extended

I'm getting this warning:

Initialize CodeQL
Unable to validate code scanning workflow: error: getWorkflow() failed: Error: Expected to find a code scanning workflow file at /home/runner/work/My-Repo-Name/My-Repo-Name/.github/workflows/ci-build.yml, but no such file existed. This can happen if the currently running workflow checks out a branch that doesn't contain the corresponding workflow file.

But the repo isn't being checked out to the root of the directory, as explained in source-root. Is there any way of telling CodeQL to look in the subdirectory to find the workflow?

[rvermeulen]

Hi @parsley72,

Thanks for you question. The init action tries to validate the workflow that is calling the init action.

This workflow should be available if you perform a actions/checkout step before the gitHub/codeql-action/init step.

The source-root property is to inform CodeQL that the root of the source is not the root of the repository. This can be the case if you have multiple projects in a repository.

To provide some further guidance we need to see the full workflow to better understand your use case.

[parsley72]

For reasons the actions/checkout step looks something like:

- name: Checkout repository
  uses: actions/checkout@v4
  with:
    path: source/my-app

so the root of the repo is in that directory.

[rvermeulen]

Thanks, that clarifies. It seems we don't take that into consideration https://github.com/github/codeql-action/blob/dd7559424621a6dd0b32ababe9e4b271a87f78d2/src/workflow.ts#L261

I will file an issue and determine how we can resolve that.

[rvermeulen]

Hi @parsley72,

If possible to share, we would like to understand the reasons/use-case for checking out the repository in the non-default path source/my-app.

[parsley72]

It's a Yocto build. We checkout the Yocto build then checkout the application source code into the source directory to build it.

[rvermeulen]

Thanks for sharing!

Your issue has been reported to the team who will triage and determine how to address it.

[rjhancock]

We have a similar use case with the MegaMek repositories with cross build dependencies which require other repositories cloned within the actions to build correctly.

Composite Gradle builds.

The project was setup before Git was around and moved over. Very old code base so no better way at this time to do it.

Would love to know how to get this to work properly as 2 of the repositories shows errors for CodeQL because of this.